Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.TENABLE_OT_WAGO_CVE-2019-5181.NASL
HistoryFeb 14, 2023 - 12:00 a.m.

Wago PFC200 iocheckd service 'I/O-Check' cache Code Execution (CVE-2019-5181)

2023-02-1400:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
5
wago pfc200
iocheckd service
i/o-check
code execution
cve-2019-5181
stack buffer overflow
wago pfc 200 firmware
xml cache file
code execution

0.001 Low

EPSS

Percentile

22.9%

JSON

An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service I/O-Check’ functionality of WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can cause a stack buffer overflow, resulting in code execution. An attacker can send a specially crafted packet to trigger the parsing of this cache file.
The destination buffer sp+0x440 is overflowed with the call to sprintf() for any subnetmask values that are greater than 1024-len(/etc/config-tools/config_interfaces interface=X1 state=enabled subnet-mask=) in length. A subnetmask value of length 0x3d9 will cause the service to crash.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(500804);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/04");

  script_cve_id("CVE-2019-5181");

  script_name(english:"Wago PFC200 iocheckd service 'I/O-Check' cache Code Execution (CVE-2019-5181)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"An exploitable stack buffer overflow vulnerability vulnerability
exists in the iocheckd service I/O-Check' functionality of WAGO PFC
200 Firmware version 03.02.02(14). A specially crafted XML cache file
written to a specific location on the device can cause a stack buffer
overflow, resulting in code execution. An attacker can send a
specially crafted packet to trigger the parsing of this cache file.
The destination buffer sp+0x440 is overflowed with the call to
sprintf() for any subnetmask values that are greater than
1024-len(/etc/config-tools/config_interfaces interface=X1
state=enabled subnet-mask=) in length. A subnetmask value of length
0x3d9 will cause the service to crash.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0963");
  script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5181");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(787);

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/03/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/02/14");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:wago:pfc200_firmware:03.02.02%2814%29");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Wago");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Wago');

var asset = tenable_ot::assets::get(vendor:'Wago');

var vuln_cpes = {
    "cpe:/o:wago:pfc200_firmware:03.02.02%2814%29" :
        {"versionEndIncluding" : "03.02.02%2814%29", "versionStartIncluding" : "03.02.02%2814%29", "family" : "ControllerPFC200"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);
VendorProductVersionCPE
wagopfc200_firmware03.02.02%2814%29cpe:/o:wago:pfc200_firmware:03.02.02%2814%29

Related

nvd 1
cve 1
prion 1
cvelist 1
talos 1
nvd
nvd
CVE-2019-5181
2020-03-12 00:15:18
cve
cve
CVE-2019-5181
2020-03-12 00:15:18
prion
prion
Stack overflow
2020-03-12 00:15:00
cvelist
cvelist
CVE-2019-5181
2020-03-11 23:31:09
talos
talos
WAGO PFC200 iocheckd service "I/O-Check" cache Multiple Code Execution Vulnerabilities
2020-03-09 00:00:00

0.001 Low

EPSS

Percentile

22.9%

JSON
Related for TENABLE_OT_WAGO_CVE-2019-5181.NASL
nvd1cve1prion1cvelist1talos1