This update is a bit odd for a few reasons. Here is my summary of how it relates to my disclosure: the passwords disclosed by me are hard-coded, WAGO has not provided instructions to change those passwords. The ICS-CERT update is not relevant to my findings, unfortunately, and can safely be ignored by any owner of WAGO IPC 758-870 models.
On to the technical nitty-gritty.
ICSA-12-249 was the advisory given to my hardcoded account disclosure in the WAGO 758-870. The update sent yesterday is an addendum to that advisory. Oddly, the update contains information pertinent to ICSA-12-097-02. 097-02 concerns the CoDeSys ladder logic runtime engine found on many, many, many (did I mention many?) manufacturer’s PLCs. CoDeSys issues affect vendors from ABB to WAGO and many letters and acronyms in between (at least 261 vendors use CoDeSys runtime). Buried in this WAGO update is some interesting information, namely that CoDeSys’ alleged authentication on its PLC is bunk, which is true. CoDeSys PLC runtime suffers from a slew of bugs, really: directory traversal, arbitrary file read+write, authentication bypass, and arbitrary code execution. The CVSS score should be something astounding once I put a code sample out.
Let’s focus on the WAGO-relevant parts of the ICS-CERT alert update, though.
During our back-and-forth, ICS-CERT sent me a copy of WAGO’s document on changing their PLC passwords. They were curious if the instructions worked. The document instructions don’t work on the PLC that we tested, the 758-870. WAGO published the instructions as being for all 758 models, but with some ‘fine print’ on page 6: “This procedure has been tested with WAGO’s 758-874, 758-875, and 758-876 versions.” Note the model that I have isn’t included (and, like I said, the instructions don’t work). DSecRG apparently owns a 758-874 model (as evidenced by their disclosure), and we’re hoping that they can tell us whether the instructions actually work on that device.
So this ICS-CERT alert probably should have been an addendum to the advisory related to DSecRG’s findings, ICSA-12-020-07, not to my findings. It seems that my not-very-old PLC is out of lock for a vendor-blessed fix to its backdoor account problem.
My Gen1 758-870 was manufactured in 2007, making it only five years old. What vendors need to realize is that you can’t have it both ways — you can’t push your product as a robust piece of equipment that the customer needs to replace only once every 10 or 15 years, and then turn around and run an OS that speaks IP, an OS that is going to have bugs, an OS that can’t be updated or even have basic configuration changes made. I for one don’t want chemical plants, the electric grid, etc relying on this kind of device buffoonery.
Image by wwarby