This update is a bit odd for a few reasons. Here is my summary of how it relates to my disclosure: the passwords disclosed by me are hard-coded, WAGO has not provided instructions to change those passwords. The ICS-CERT update is not relevant to my findings, unfortunately, and can safely be ignored by any owner of WAGO IPC 758-870 models.
On to the technical nitty-gritty.
ICSA-12-249 was the advisory given to my hardcoded account disclosure in the WAGO 758-870. The update sent yesterday is an addendum to that advisory. Oddly, the update contains information pertinent to ICSA-12-097-02. 097-02 concerns the CoDeSys ladder logic runtime engine found on many, many, many (did I mention many?) manufacturer’s PLCs. CoDeSys issues affect vendors from ABB to WAGO and many letters and acronyms in between (at least 261 vendors use CoDeSys runtime). Buried in this WAGO update is some interesting information, namely that CoDeSys’ alleged authentication on its PLC is bunk, which is true. CoDeSys PLC runtime suffers from a slew of bugs, really: directory traversal, arbitrary file read+write, authentication bypass, and arbitrary code execution. The CVSS score should be something astounding once I put a code sample out.
Let’s focus on the WAGO-relevant parts of the ICS-CERT alert update, though.