WAGO: PFC200 Access to files outside the home directory
CVE-2021-21001

9.1CRITICAL

Key Information:

Vendor: Wago
Status: Series Pfc200 Controller; Series Ethernet Controller
Vendor: CVE Published:; 24 May 2021

Summary

On WAGO PFC200 devices in different firmware versions with special crafted packets an authorised attacker with network access to the device can access the file system with higher privileges.

Affected Version(s)

Series Ethernet Controller 750-8202/xxx-xxx < 03.06.19 (18)

Series Ethernet Controller 750-8203/xxx-xxx < 03.06.19 (18)

Series Ethernet Controller 750-8204/xxx-xxx < 03.06.19 (18)

References

https://cert.vde.com/en-us/advisories/vde-2021-014

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
May 24, 2021
Vulnerability Reserved
Dec 17, 2020

Credit

These vulnerabilities were reported by JSC Positive Technologies (Vyacheslav Moskvin, Anton Dorfman, Sergey Fedonin, Ivan Kurnakov, Denis Goryushev). Coordination done by CERT@VDE.