CVE-2019-5180

Vulnerability

The WAGO PFC 200 firmware version 03.02.02(14) contains a stack buffer overflow in the iocheckd service's 'I/O-Check' functionality. The vulnerability exists during parsing of the /tmp/iocheckCache.xml file, which is globally writable. When processing an IP address value in the cache file, the service uses sprintf() to copy data into a fixed stack buffer at offset sp+0x440. If the IP address string exceeds 1024 bytes minus the length of the prefix string /etc/config-tools/config_interfaces interface=X1 state=enabled ip-address=, the buffer overflows. An IP value of length 0x3da (986) bytes causes the service to crash [1].

Exploitation

An attacker must have local or remote access to write the malicious XML cache file to /tmp/iocheckCache.xml on the device. All users have write permission for /tmp. After placing the file, the attacker sends a BC_SaveParameter message, which triggers the iocheckd service to parse the cache file. The parsing routine copies attacker-controlled data into the stack buffer without proper bounds checking, leading to the overflow [1].

Impact

Successful exploitation allows an attacker to corrupt the stack and potentially achieve arbitrary code execution. The CVSSv3 score is 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability. The attacker gains code execution in the context of the iocheckd service, which can lead to full compromise of the device [1].

Mitigation

As of the publication date (2020-03-11), no fixed firmware version has been released by WAGO. Users should monitor vendor advisories for updates. Workarounds include restricting write access to /tmp and disabling the iocheckd service if not required. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].