Hole Found in WAGO PLC

Wednesday, December 6, 2017 @ 12:12 PM gHale

The WAGO PFC200 PLC series based on Linux contains a vulnerable version of the CODESYS runtime (, researchers said.

The CODESYS process runs with “root” privileges and can be abused in multiple ways to read/write/delete files or to modify the Programmable Logic Controller (PLC) program during runtime without any authentication, said SEC Consult researchers in a report.

Siemens Mitigates Hole in Industrial Products
Siemens Updates Mitigation for KRACK Holes
Siemens Fixes SWT3000 Firmware
Ethicon Endo-Surgery Clears Vulnerability

“The WAGO-I/O-SYSTEM is a flexible fieldbus-independent solution for decentralized automation tasks. With the relay, function and interface modules, as well as overvoltage protection, WAGO provides a suitable interface for any application,” Wago said on its website.

“The PFC family of controllers offers advanced compact, computing power for PLC programming and process visualization. Programmable in accordance with IEC 61131-3 600, PFC controllers feature a 600 MHz ARM Cortex A8 processor that offers high speed processing and support of 64 bit variables,” Wago said.

In the vulnerability, the “plclinux_rt” service accepts different unauthenticated actions.

This vulnerability contains the architectural security problems described by security researcher, Reid Wightman, SEC Consult researchers said. The SDK of “plclinux_rt” is written by the same vendor (3S-Smart Software Solutions). Therefore, the file commands of “Digital Bond’s 3S CODESYS Tools”, created around 2012 are applicable.

The CODESYS command-line is protected with login credentials, that’s why the shell of the mentioned tools does not provide root access out of the box. But after some investigation it was clear that there are further functions which are reachable without using the command-line and without any authentication.

The CODESYS Runtime Toolkit is embedded software developed by 3S-Smart Software Solutions and it’s used by multiple vendors in hundreds of PLCs and other industrial controllers.

WAGO learned about the vulnerability in August, but it has yet to release a patch. The German-based vendor said a fix should be available in January.

SEC Consult published an advisory describing the flaw, but it will not release a proof-of-concept (PoC) exploit until a patch is available.

Because of the use in industrial and safety-critical environments a patch should be applied as soon as it is available, SEC Consult researchers said. This device series in the mentioned device series with firmware 02.07.07(10) should not be connected directly to the Internet (or even act as gateway) since it is very likely that an attacker can compromise the whole network via such a device, the researchers said.

SEC Consult recommended not to use this product in a production environment until a thorough security review has been performed by security professionals.

In the meantime, the researchers said users should update your WAGO PFC200 Series to firmware version FW11 as soon as it is available. In the meantime, here is a workaround: Delete “plclinux_rt” or close the programming port (2455) and network access to the device should be restricted.

Leave a Reply

You must be logged in to post a comment.