CVE-2019-5175

Vulnerability

The iocheckd service I/O-Check function in WAGO PFC 200 Firmware version 03.02.02(14) contains a command injection vulnerability. The service parses an XML cache file stored at /tmp/iocheckCache.xml, which is globally writable. During parsing, the type node value is extracted and used unsanitized in a call to sprintf() to construct a command string: /etc/config-tools/config_interfaces interface=X1 state=enabled config-type=. This command is later executed via system(). [1]

Exploitation

An attacker with write access to /tmp on the device can place a specially crafted iocheckCache.xml file containing malicious content in the type node. The vulnerability is triggered by sending the BC_SaveParameter message to the iocheckd service, which causes the cache file to be parsed and the injected command to be executed. No authentication is required beyond local write access; the attacker must have a means to write the file, e.g., via an existing foothold or a separate vulnerability. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands as the root user. This results in full compromise of the device, including data exfiltration, installation of malware, and potential lateral movement within the network. The CVSSv3 score is 8.8, indicating high severity. [1]

Mitigation

According to the Talos advisory, WAGO has released a firmware update to address this vulnerability. Affected users should upgrade to a patched version. As a workaround, restrict write access to /tmp if possible. No other mitigations are disclosed in the available reference. [1]