PT-2019-3574 · Wago · Wago 852-1505+2
Published
2019-06-13
·
Updated
2019-06-19
·
CVE-2019-12549
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
WAGO 852-303 versions before FW06
WAGO 852-1305 versions before FW06
WAGO 852-1505 versions before FW03
Description
The issue is related to hardcoded private keys for the SSH daemon in the affected devices. This means that the SSH host key fingerprint matches the embedded private key, potentially allowing unauthorized access. The vulnerability could enable a remote attacker to access the device via SSH.
Recommendations
For WAGO 852-303 versions before FW06, update to FW06 or later to resolve the issue.
For WAGO 852-1305 versions before FW06, update to FW06 or later to resolve the issue.
For WAGO 852-1505 versions before FW03, update to FW03 or later to resolve the issue.
As a temporary workaround, consider restricting SSH access to minimize the risk of exploitation.
Fix
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wago 852-1305
Wago 852-1505
Wago 852-303