CVE-2019-5181

Vulnerability

A stack buffer overflow exists in the iocheckd service 'I/O-Check' functionality of WAGO PFC 200 (firmware version 03.02.02(14)) [1]. The service uses a file-backed cache stored at /tmp/iocheckCache.xml, which is globally writable. Parsing this XML cache file with a specially crafted subnet-mask value triggers the overflow. The destination buffer at stack offset sp+0x440 is overflowed via a sprintf() call when the subnet-mask value exceeds the remaining buffer length (1024 minus the length of the string '/etc/config-tools/config_interfaces interface=X1 state=enabled subnet-mask=') [1]. A subnet-mask value of length 0x3d9 causes a crash [1].

Exploitation

An attacker needs local file-system write access to place the malicious XML cache file at /tmp/iocheckCache.xml [1]. All authenticated users on the device can write to /tmp. After the file is placed, the attacker sends a BC_SaveParameter message, which causes the iocheckd service to parse the crafted XML file and triggers the stack buffer overflow [1]. No user interaction beyond placing the file is required; the service processes the file upon receiving the command.

Impact

Successful exploitation results in arbitrary code execution in the context of the iocheckd service [1]. The CVSS v3.0 base score is 8.8 with a vector of AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating high impact on confidentiality, integrity, and availability, with a scope change (the vulnerable component is not the only component affected) [1]. The attacker gains the ability to execute arbitrary code, potentially leading to full control of the device.

Mitigation

As of the Talos advisory published 2020-03-11, no fixed firmware version had been released [1]. Users should monitor WAGO's security advisories for patched firmware. If no update is available, restrict write access to /tmp and limit local user accounts to trusted personnel only. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the last update. [1]