PT-2020-11077 · Lighttpd+2 · Lighttpd+4

Patrick Desantis

Published

2020-03-10

Updated

2020-03-13

CVE-2019-5149

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions WAGO PFC100 versions prior to 03.02.02 WAGO PFC2000 versions prior to 03.01.07

Description The WBM web application runs on a lighttpd web server and uses the FastCGI module to provide high performance for Internet applications. However, the default configuration of this module limits the number of concurrent php-cgi processes to two, which can be abused to cause a denial of service of the entire web server.

Recommendations For WAGO PFC100 versions prior to 03.02.02, update to version 03.02.02 or later to resolve the issue. For WAGO PFC2000 versions prior to 03.01.07, update to version 03.01.07 or later to resolve the issue. As a temporary workaround, consider restricting access to the FastCGI module to minimize the risk of exploitation.

Exploit

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

CVE-2019-5149

Affected Products

Fastcgi

Wago Pfc100

Wago Pfc2000

Lighttpd

Php-Cgi

PT-2020-11077 · Lighttpd+2 · Lighttpd+4

CVE-2019-5149

Weakness Enumeration

Related Identifiers

Affected Products

References · 4