According to Russian cybersecurity firm Positive Technologies, a lot of vulnerabilities found in industrial controllers made by WAGO can be abused to obstruct technological processes, which in some cases could lead to industrial accidents.
WAGO is a German company that manufactures components for electrical connections and electronic components for decentralized automation.
The vulnerabilities were discovered in the WAGO PFC200 programmable logic controller (PLC), which the vendor has now addressed. One of the issues, tracked as CVE-2021-21001, has been defined as a path traversal issue involving a CODESYS component utilized by the device and is graded critical severity.
It allows a network-connected attacker with elevated capabilities to access the target device's file system by delivering specially designed packets.
Vladimir Nazarov, head of ICS security at Positive Technologies explained, “By exploiting this vulnerability, attackers can access the controller file system with read and write rights. Changes in the PLC file system may cause disruption of technological processes and even lead to industrial accidents.”
The second vulnerability, CVE-2021-21000, is a medium-severity problem that affects WAGO's iocheckd service, which is used to check PLC input/output and demonstrate the PLC configuration. This weakness can be exploited by an unauthenticated intruder with network access to the device to cause a DoS condition.
“Exploitation may cause a sudden shutdown of the controller, and in turn interrupt technological processes,” Positive Technologies explained.
These flaws, along with ten others uncovered by Positive Technologies in CODESYS industrial automation software, were disclosed by Germany's VDE CERT in May.
The 10 CODESYS flaws, the majority of which were rated critical or high severity, affected ICS systems from more than a dozen vendors who use CODESYS software.
The US government recently sanctioned Positive Technologies for allegedly assisting Russian intelligence agencies. However, the company stated that it will continue to responsibly disclose vulnerabilities discovered by its employees in major U.S. corporations' products.