CVE-2019-5169

Vulnerability

The iocheckd service in WAGO PFC 200 firmware version 03.02.02(14) contains a command injection vulnerability in the "I/O-Check" function. The service parses an XML cache file at /tmp/iocheckCache.xml, which is globally writable. During parsing, the gateway value extracted from the XML is used unsanitized in a call to system() via sprintf() to execute the command /etc/config-tools/config_default_gateway number=0 state=enabled value=. This allows injection of arbitrary OS commands. [1]

Exploitation

An attacker needs local access to the device with the ability to write to /tmp (any user has write access). The attacker writes a specially crafted XML file to /tmp/iocheckCache.xml containing malicious content in the gateway node. Then, by sending a BC_SaveParameter message (or triggering the parsing of the cache file), the iocheckd service parses the file and executes the injected commands. No authentication is required beyond local file write capability. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands as the root user, leading to full compromise of the device. This includes disclosure of sensitive information, modification of system configuration, and potential denial of service. The CVSSv3 score is 8.8 (High) with scope change, indicating impact on confidentiality, integrity, and availability. [1]

Mitigation

As of the publication date (2020-03-11), no firmware update was available to fix this vulnerability. Users should restrict local access to the device and monitor for unauthorized file writes to /tmp. The vendor WAGO may have released a patch in later firmware versions; consult the vendor advisory for updated information. [1]