CVE-2019-5135

Name of the Vulnerable Software and Affected Versions WAGO PFC100 Firmware version 03.00.39(12) WAGO PFC200 Firmware versions 03.00.39(12) through 03.01.07(13)

Description An exploitable timing discrepancy vulnerability exists in the authentication functionality of the Web-Based Management (WBM) web application on WAGO PFC100/200 controllers. The WBM application makes use of the PHP crypt() function which can be exploited to disclose hashed user credentials.

Recommendations For WAGO PFC100 Firmware version 03.00.39(12), consider disabling the crypt() function in the WBM application until a patch is available. For WAGO PFC200 Firmware versions 03.00.39(12) through 03.01.07(13), consider disabling the crypt() function in the WBM application until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.