WAGO PFC100/200 Web-Based Management (WBM) FastCGI configuration insufficient resource pool denial of service

Summary

The WBM web application on firmwares prior to 03.02.02 and 03.01.07 on the WAGO PFC100 and PFC2000, respectively, runs on a lighttpd web server and makes use of the FastCGI module, which is intended to “provide high performance for all Internet applications without the penalties of Web server APIs.” However, the default configuration of this module appears to limit the number of concurrent php-cgi processes to two, which can be abused to cause a denial of service of the entire web server.

Tested Versions

WAGO PFC200 Firmware version 03.00.39(12) WAGO PFC200 Firmware version 03.01.07(13) WAGO PFC100 Firmware version 03.00.39(12) WAGO PFC100 Firmware version 03.02.02(14)

Based on inspection of various firmware versions, this vulnerability appears to impact all versions from the current and going back to at least 10 and likely earlier.

Product URLs

• <https://www.wago.com/us/pfc200&gt;
• <https://www.wago.com/us/pfc100&gt;

CVSSv3 Score

5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-410: Insufficient Resource Pool

Details

The WAGO PFC100 and PFC200 devices are programmable automation controllers that boast high cybersecurity standards by including VPN, SSL and firewall software. WAGO controllers are used in many industries including automotive, rail, power engineering, manufacturing, and building management.

The WBM web application runs on a lighttpd web server and makes use of the FastCGI module which is intended to “provide high performance for all Internet applications without the penalties of Web server APIs.” However, the default configuration of this module appears to limit the number of concurrent php-cgi processes to two, which can be abused to cause a DoS of the entire web server.

The default configuration in /etc/lighttpd/mod_fastcgi.conf:

fastcgi.server += (
".php" =>
( "localhost" =>
    (
    "socket" => "/tmp/php-fastcgi.socket",
    "bin-path" => "/usr/bin/php-cgi",
    "min-procs" => 1,
    "max-procs" => 2,
    "max-load-per-proc" => 8,
    "idle-timeout" => 50,
    # Fix PATH_INFO for PHP scripts that rely on it (like Wordpress).
    "broken-scriptfilename" => "enable"
    )of
)
)

By sending several malicious requests it is possible for an attacker to indefinitely deny legitimate access to the WBM web application.

Exploit Proof of Concept

Sending a POST to /wbm/login.php with the username “admin” or “user” and large password (tens-of-thousands of characters) will result in around a 50 second DoS of the WBM web application (the idle timeout specified in the mod_fastcgi config) due to the use of PHP crypt() as described in TALOS-2019-XXXX.

{"username":"admin","password":"a"*30000}

The web server is configured (via fastcgi) to allow no more than two concurrent processes. By sending a large number of the above requests the web server will attempt to process all of them, two at a time, for 50 seconds each, resulting in an DoS of the web server for a potentially indefinite length of time.

Note that this example is used to illustrate the ease of exploitation of this vulnerability but it is by no means the only way to do so.

Timeline

2019-10-23 - Vendor passed to CERT@VDE for coordination/handling
2019-12-16 - Disclosure deadline extended
2020-01-28 - Talos discussion about vulnerabilities with Vendor
2020-03-09 - Public Release