CVE-2019-5186
Description
An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file.At 0x1eb9c the extracted interface element name from the xml file is used as an argument to /etc/config-tools/config_interfaces interface= using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any interface values that are greater than 512-len("/etc/config-tools/config_interfaces interface=") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An interface value of length 0x3c4 will cause the service to crash.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack buffer overflow in WAGO PFC 200 iocheckd service allows denial of service and potential code execution via crafted XML cache file.
Vulnerability
The iocheckd service in WAGO PFC 200 firmware version 03.02.02(14) contains a stack buffer overflow in the "I/O-Check" functionality. The service parses a cache file stored at /tmp/iocheckCache.xml, which is globally writable. During parsing, the extracted interface element name is used in a sprintf() call to construct a command string, copying into a stack buffer sp+0x40. If the interface value exceeds 512 bytes minus the length of the prefix string, the buffer overflows. Subsequently, strcpy() copies the overflowed buffer into an adjacent stack buffer sp+0x440, causing invalid memory access. [1]
Exploitation
An attacker with local access or the ability to write to the globally writable /tmp/iocheckCache.xml can craft a malicious XML cache file containing an interface element with a value of length 0x3c4 (964 bytes). When the iocheckd service parses this file, the oversized interface value triggers the stack buffer overflow, leading to a crash of the service. No authentication is required beyond write access to the cache file. [1]
Impact
Successful exploitation results in a denial of service (DoS) for iocheckd messages, which will respond with errors. Depending on compiler and optimization levels, the vulnerability could potentially be leveraged for arbitrary code execution, leading to full compromise of the device. The CVSSv3 score is 7.0 (High) with impacts to confidentiality, integrity, and availability. [1]
Mitigation
As of the advisory publication date (March 2020), no fixed firmware version has been disclosed in the available references. Users should monitor WAGO's security advisories for updates. Restricting write access to the cache file location may reduce the attack surface. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WAGO/PFC 200description
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2019-0966mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.