CVE-2019-5171

Vulnerability

An exploitable command injection vulnerability exists in the iocheckd service I/O-Check function of the WAGO PFC 200 Controller running firmware version 03.02.02(14). The service uses a file-backed cache stored at /tmp/iocheckCache.xml, which is globally writable by any user on the device. When parsing this XML file via the BC_SaveParameter message, the extracted hostname value from the XML is used unsanitized as an argument to /etc/config-tools/config_interfaces interface=X1 state=enabled ip-address= using sprintf() [1]. This allows injection of arbitrary OS commands into the ip-address parameter.

Exploitation

An attacker must have local access to the WAGO PFC 200 device with the ability to write a file to /tmp. The attacker crafts a malicious XML file containing OS command injection payloads within the ip node, places it at /tmp/iocheckCache.xml, then sends a BC_SaveParameter message to the iocheckd service. This triggers parsing of the cache file and execution of the injected commands with root privileges [1]. No authentication or user interaction beyond local write access is required.

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands as the root user, achieving full compromise of the device. This includes the ability to read, modify, or delete any data, install persistent backdoors, and pivot to other network resources. The vulnerability is classified as CWE-78: Improper Neutralization of Special Elements used in an OS Command, and has a CVSSv3 score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) [1].

Mitigation

As of the publication date (2020-03-11), no patched firmware version was publicly available. WAGO recommended users to limit local access to the device and restrict write permissions to the /tmp directory where possible. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Users should monitor WAGO's security advisories for a firmware update addressing this issue [1].