CVE-2019-5135

Vulnerability

An exploitable timing discrepancy vulnerability exists in the authentication functionality of the Web-Based Management (WBM) web application on WAGO PFC100/200 controllers. The WBM application makes use of the PHP crypt() function which can be exploited to disclose hashed user credentials [1]. This affects WAGO PFC200 Firmware version 03.00.39(12) and version 03.01.07(13), and WAGO PFC100 Firmware version 03.00.39(12) [1]. The vulnerability resides in the PasswordCorrect() function within login.php, where user input is passed to crypt() without input validation or filtering, and the resulting hash is compared with the stored hash [1].

Exploitation

An attacker can exploit this vulnerability by making a series of unauthenticated requests over the network to the WBM login endpoint [1]. By measuring the response timing differences when submitting crafted password strings, the attacker can perform a timing side-channel attack to iteratively deduce the stored password hash. No authentication or prior access is required; the attack is network-based [1].

Impact

Successful exploitation allows an attacker to disclose hashed user credentials [1]. The CVSSv3 score is 5.3 (Medium), with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating low confidentiality impact, no integrity or availability impact, and no user interaction required [1]. The disclosure of hashed passwords could enable further offline attacks to recover plaintext passwords, potentially leading to unauthorized access to the WBM interface.

Mitigation

As of the publication date (2020-03-10), no fixed firmware version has been released. The vendor has not provided an official patch or workaround in the available references [1]. Users are advised to monitor vendor advisories and consider restricting network access to the WBM interface to trusted hosts only as a temporary mitigation. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.