CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
20.2%
A hard-coded encryption key vulnerability exists in the authentication functionality of WAGO e!Cockpit, version 1.5.1.1. An attacker with access to communications between e!Cockpit and CoDeSyS Gateway can trivially recover the password of any user attempting to log in, in plain text.
WAGO e!Cockpit 1.5.1.1
<https://www.wago.com/us/ecockpit-engineering-software>
6.2 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
e!Cockpit is programming software provided by WAGO for working with various product lines produced by WAGO. This software is used to write IEC-61131-3 specified language which can then be compiled for a programmable logic controller to run. This software is required to be able to communicate with these devices, and it can be found in any industrial controller environment.
The hard coded 32-byte key is used to XOR the plaintext password, with a four-byte challenge that is incorrectly implemented. This four-byte challenge is included in all authentication packets, and due to a coding error, is reduced to a single byte perturbance every four bytes within the password. Any authentication packet that is captured can easily be used to recover the plaintext password of the user.
if (this._dwChallenge != 0u && this._cryptType == CryptType.XOR)
{
int num = 0;
int num2 = 0;
char[] array = "zeDR96EfU#27vuph7Thub?phaDr*rUbR".ToCharArray();
char[] array2 = this._stPassword.ToCharArray();
uint num3 = (uint)(array2.Length + 1);
if (num3 < 32u)
{
num3 = 32u;
}
if (num3 % 4u != 0u)
{
num3 += 4u - num3 % 4u;
}
byte[] array3 = new byte[num3];
char[] array4 = new char[]
{
(char)(this._dwChallenge & 255u),
(char)(this._dwChallenge << 8 & 65280u),
(char)(this._dwChallenge << 16 & 16711680u),
(char)(this._dwChallenge << 24 & 4278190080u)
};
int num4 = 0;
while ((long)num4 < (long)((ulong)num3))
{
char c = array[num];
char c2 = '\0';
if (num4 < array2.Length)
{
c2 = array2[num4];
}
array3[num4] = (byte)(c2 ^ c + array4[num2]);
num++;
if (num == array.Length)
{
num = 0;
}
num2++;
if (num2 == 4)
{
num2 = 0;
}
num4++;
}
complexNodeWriter.AddDataTag(17, ContentAlignment.Align40).Write(array3);
}
2019-09-19 - Vendor Disclosure
2019-10-31 - Vendor passed to CERT@VDE for coordination/handling
2019-12-16 - Disclosure deadline extended
2020-01-28 - Talos discussion about vulnerabilities with Vendor
2020-03-09 - Public Release
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
20.2%