VDE-2020-004
Vulnerability from csaf_wagogmbhcokg - Published: 2020-03-09 09:00 - Updated: 2025-05-14 13:00Summary
WAGO: e!Cockpit cleartext communication and hardcoded key
Notes
Summary: The communication between e!Cockpit and the programmable logic controller is not encrypted. The broken cryptographic algorithm allows an attacker to decode the password for the e!Cockpit communication and with this to manipulate the application.
The password used by e!Cockpit for authentication against the PLC is encrypted with a hard-coded key. An attacker is able to decrypt the password by listening to the network traffic.
Impact: The vulnerabilities allow an attacker who has access to the network communication between e!Cockpit and the PLC to listen, manipulate, or drop any information they choose from the corresponding communication.
Mitigation: * Follow the instructions in WAGO's handbook Cyber Security for Controller
* Restrict network access to the device.
* Do not directly connect the device to the internet
* Use an encrypted VPN connection to the device
* Disable unused TCP/UDP-ports
Typically the e!Cockpit communication is only needed during commissioning of the programmable logic controller and not during normal operations. WAGO highly recommends disabling the TCP Port 11740 and UDP Port 1740 after commissioning or using an encrypted VPN connection to the device.
A cleartext transmission vulnerability exists in the network communication functionality of WAGO e!Cockpit version 1.5.1.1. An attacker with access to network traffic can easily intercept, interpret, and manipulate data coming from, or destined for e!Cockpit. This includes passwords, configurations, and binaries being transferred to endpoints.
7.5 (High)
Mitigation
* Follow the instructions in WAGO's handbook Cyber Security for Controller
* Restrict network access to the device.
* Do not directly connect the device to the internet
* Use an encrypted VPN connection to the device
* Disable unused TCP/UDP-ports
Typically the e!Cockpit communication is only needed during commissioning of the programmable logic controller and not during normal operations. WAGO highly recommends disabling the TCP Port 11740 and UDP Port 1740 after commissioning or using an encrypted VPN connection to the device.
A hard-coded encryption key vulnerability exists in the authentication functionality of WAGO e!Cockpit version 1.5.1.1. An attacker with access to communications between e!Cockpit and CoDeSyS Gateway can trivially recover the password of any user attempting to log in, in plain text.
5.5 (Medium)
Mitigation
* Follow the instructions in WAGO's handbook Cyber Security for Controller
* Restrict network access to the device.
* Do not directly connect the device to the internet
* Use an encrypted VPN connection to the device
* Disable unused TCP/UDP-ports
Typically the e!Cockpit communication is only needed during commissioning of the programmable logic controller and not during normal operations. WAGO highly recommends disabling the TCP Port 11740 and UDP Port 1740 after commissioning or using an encrypted VPN connection to the device.
References
| URL | Category | |
|---|---|---|
Acknowledgments
CERTVDE
certvde.com
{
"document": {
"acknowledgments": [
{
"organization": "CERTVDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "The communication between e!Cockpit and the programmable logic controller is not encrypted. The broken cryptographic algorithm allows an attacker to decode the password for the e!Cockpit communication and with this to manipulate the application.\n\nThe password used by e!Cockpit for authentication against the PLC is encrypted with a hard-coded key. An attacker is able to decrypt the password by listening to the network traffic.",
"title": "Summary"
},
{
"category": "description",
"text": "The vulnerabilities allow an attacker who has access to the network communication between e!Cockpit and the PLC to listen, manipulate, or drop any information they choose from the corresponding communication.",
"title": "Impact"
},
{
"category": "description",
"text": "* Follow the instructions in WAGO\u0027s handbook Cyber Security for Controller \n * Restrict network access to the device. \n * Do not directly connect the device to the internet \n * Use an encrypted VPN connection to the device \n * Disable unused TCP/UDP-ports \n\n Typically the e!Cockpit communication is only needed during commissioning of the programmable logic controller and not during normal operations. WAGO highly recommends disabling the TCP Port 11740 and UDP Port 1740 after commissioning or using an encrypted VPN connection to the device.",
"title": "Mitigation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@wago.com",
"name": "WAGO GmbH \u0026 Co. KG",
"namespace": "https://www.wago.com/psirt"
},
"references": [
{
"category": "external",
"summary": "WAGO GmbH \u0026 Co. KG",
"url": "https://www.wago.com/psirt"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories",
"url": "https://certvde.com/en/advisories/vendor/wago/"
},
{
"category": "self",
"summary": "VDE-2020-004: WAGO: e!Cockpit cleartext communication and hardcoded key - HTML",
"url": "https://certvde.com/en/advisories/VDE-2020-004/"
},
{
"category": "self",
"summary": "VDE-2020-004: WAGO: e!Cockpit cleartext communication and hardcoded key - CSAF",
"url": "https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2020/vde-2020-004.json"
}
],
"title": "WAGO: e!Cockpit cleartext communication and hardcoded key",
"tracking": {
"aliases": [
"VDE-2020-004"
],
"current_release_date": "2025-05-14T13:00:14.000Z",
"generator": {
"date": "2020-03-09T09:00:00.000Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.11"
}
},
"id": "VDE-2020-004",
"initial_release_date": "2020-03-09T09:00:00.000Z",
"revision_history": [
{
"date": "2020-03-09T09:00:00.000Z",
"number": "1",
"summary": "initial revision"
},
{
"date": "2025-04-10T13:00:00.000Z",
"number": "2",
"summary": "Fixed namespace URL"
},
{
"date": "2025-05-14T13:00:14.000Z",
"number": "3",
"summary": "Fix: added distribution"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "762-4xxx",
"product": {
"name": "762-4xxx",
"product_id": "CSAFPID-11001",
"product_identification_helper": {
"model_numbers": [
"762-4xxx"
]
}
}
},
{
"category": "product_name",
"name": "762-5xxx",
"product": {
"name": "762-5xxx",
"product_id": "CSAFPID-11002",
"product_identification_helper": {
"model_numbers": [
"762-5xxx"
]
}
}
},
{
"category": "product_name",
"name": "762-6xxx",
"product": {
"name": "762-6xxx",
"product_id": "CSAFPID-11003",
"product_identification_helper": {
"model_numbers": [
"762-6xxx"
]
}
}
},
{
"category": "product_name",
"name": "750-81xx/xxx-xxx",
"product": {
"name": "750-81xx/xxx-xxx",
"product_id": "CSAFPID-11004",
"product_identification_helper": {
"model_numbers": [
"750-81xx/xxx-xxx"
]
}
}
},
{
"category": "product_name",
"name": "750-82xx/xxx-xxx",
"product": {
"name": "750-82xx/xxx-xxx",
"product_id": "CSAFPID-11005",
"product_identification_helper": {
"model_numbers": [
"750-82xx/xxx-xxx"
]
}
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=FW04",
"product": {
"name": "Firmware \u003e=FW04",
"product_id": "CSAFPID-21001"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "WAGO GmbH \u0026 Co. KG"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
],
"summary": "Affected Products"
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003e=FW04 installed on 762-4xxx",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003e=FW04 installed on 762-5xxx",
"product_id": "CSAFPID-31002"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003e=FW04 installed on 762-6xxx",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003e=FW04 installed on 750-81xx/xxx-xxx",
"product_id": "CSAFPID-31004"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003e=FW04 installed on 750-82xx/xxx-xxx",
"product_id": "CSAFPID-31005"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11005"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-5107",
"cwe": {
"id": "CWE-319",
"name": "Cleartext Transmission of Sensitive Information"
},
"notes": [
{
"category": "description",
"text": "A cleartext transmission vulnerability exists in the network communication functionality of WAGO e!Cockpit version 1.5.1.1. An attacker with access to network traffic can easily intercept, interpret, and manipulate data coming from, or destined for e!Cockpit. This includes passwords, configurations, and binaries being transferred to endpoints.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "* Follow the instructions in WAGO\u0027s handbook Cyber Security for Controller \n * Restrict network access to the device. \n * Do not directly connect the device to the internet \n * Use an encrypted VPN connection to the device \n * Disable unused TCP/UDP-ports \n\n Typically the e!Cockpit communication is only needed during commissioning of the programmable logic controller and not during normal operations. WAGO highly recommends disabling the TCP Port 11740 and UDP Port 1740 after commissioning or using an encrypted VPN connection to the device.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-5107"
},
{
"cve": "CVE-2019-5106",
"cwe": {
"id": "CWE-327",
"name": "Use of a Broken or Risky Cryptographic Algorithm"
},
"notes": [
{
"category": "description",
"text": "A hard-coded encryption key vulnerability exists in the authentication functionality of WAGO e!Cockpit version 1.5.1.1. An attacker with access to communications between e!Cockpit and CoDeSyS Gateway can trivially recover the password of any user attempting to log in, in plain text.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "* Follow the instructions in WAGO\u0027s handbook Cyber Security for Controller \n * Restrict network access to the device. \n * Do not directly connect the device to the internet \n * Use an encrypted VPN connection to the device \n * Disable unused TCP/UDP-ports \n\n Typically the e!Cockpit communication is only needed during commissioning of the programmable logic controller and not during normal operations. WAGO highly recommends disabling the TCP Port 11740 and UDP Port 1740 after commissioning or using an encrypted VPN connection to the device.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"environmentalScore": 5.5,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 5.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-5106"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…