CVE-2019-5172

Vulnerability

The iocheckd service 'I/O-Check' function in WAGO PFC 200 Firmware version 03.02.02(14) contains a command injection vulnerability. The service parses a file-backed cache stored at /tmp/iocheckCache.xml, which is globally writable. During parsing, the value extracted from the ntp node in the XML file is used unsanitized as an argument to /etc/config-tools/config_sntp time-server-%d= via sprintf(). This command string is subsequently passed to system(). The parsing occurs in a loop with no limit on the number of ntp entries processed [1].

Exploitation

An attacker with local access (any user who can write to /tmp) can place a malicious XML file at /tmp/iocheckCache.xml. By sending a specially crafted BC_SaveParameter message, the attacker triggers the iocheckd service to parse this cache file. The injected OS commands within the ntp node content are then executed. No authentication beyond local user access is required, and the attack does not rely on user interaction beyond the write and message delivery [1].

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands with root privileges, leading to full compromise of the device. This results in complete loss of confidentiality, integrity, and availability (CIA). The attacker can read, modify, or delete any data, install backdoors, or disrupt controller operations [1].

Mitigation

As of the publication date, WAGO PFC 200 Firmware version 03.02.02(14) is affected. The advisory recommends updating to a patched firmware version if available; otherwise, restrict local write access to /tmp or apply network segmentation to limit attack surface. No workaround is provided in the available reference [1].