CVE-2019-5173

Vulnerability

The iocheckd service I/O-Check function in WAGO PFC 200 firmware version 03.02.02(14) contains a command injection vulnerability. The service parses a file-backed cache stored at /tmp/iocheckCache.xml, which is globally writable. During parsing, the value of the state node in the XML is extracted and used unsanitized as an argument to /etc/config-tools/config_interfaces interface=X1 state= via sprintf(). This command is later executed with a call to system(). An attacker can write a specially crafted XML file to the cache location to inject arbitrary OS commands [1].

Exploitation

An attacker must have local access to the device and the ability to write to /tmp (any user can write). The attacker places a malicious XML file at /tmp/iocheckCache.xml containing an injected command in the state node. The vulnerability is triggered by sending a BC_SaveParameter message, which causes the iocheckd service to parse the cache file. No additional authentication or user interaction is required beyond the initial write access [1].

Impact

Successful exploitation allows the attacker to execute arbitrary OS commands as the root user, leading to full compromise of the device. This includes the ability to read, modify, or delete sensitive data, install malware, and pivot to other network resources. The CVSSv3 score is 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) [1].

Mitigation

As of the advisory publication date (2020-03-11), WAGO has not released a firmware update to address this vulnerability [1]. Users should restrict local access to the device, monitor /tmp for unauthorized XML files, and apply any future firmware updates from WAGO as they become available. No workaround is provided in the referenced advisory.