CVE-2019-5178

Vulnerability

A stack buffer overflow vulnerability exists in the iocheckd service of WAGO PFC 200 firmware version 03.02.02(14). The vulnerability is triggered when the service parses the /tmp/iocheckCache.xml file, which is globally writable. A specially crafted packet containing the BC_SaveParameter message causes the service to read the cache file and use sprintf() to copy a hostname value into a stack buffer (sp+0x440). If the hostname length exceeds 1024 minus the length of the prefix string /etc/config-tools/change_hostname hostname=, a buffer overflow occurs. A hostname of length 0x3fd causes the service to crash [1].

Exploitation

An attacker with write access to the /tmp directory can place a malicious XML file at /tmp/iocheckCache.xml. The attacker then sends a BC_SaveParameter message to trigger parsing of the cache file. No authentication is required beyond local access to the device, as the service processes the cache file without privilege checks. The overflow occurs during the parsing of the hostname field, allowing the attacker to overwrite stack data [1].

Impact

Successful exploitation leads to code execution under the context of the iocheckd service. The CVSSv3 score is 8.8, indicating high impact on confidentiality, integrity, and availability. The attacker can achieve arbitrary code execution, potentially gaining full control of the controller [1].

Mitigation

As of the publication date (2020-03-11), WAGO has not released a patched firmware version. The recommended mitigation is to restrict write access to the /tmp directory and monitor for unauthorized file writes. Administrators should apply any updates from WAGO when available. No workaround is provided in the available references [1].