CVE-2019-5159

Name of the Vulnerable Software and Affected Versions WAGO e!COCKPIT automation software version 1.6.0.7

Description An exploitable improper input validation issue exists in the firmware update functionality. A specially crafted firmware update file can allow an attacker to write arbitrary files to arbitrary locations on WAGO controllers, potentially resulting in code execution. An attacker can create a malicious firmware update package file using any zip utility. The user must initiate a firmware update through e!COCKPIT and choose the malicious wup file using the file browser to trigger the issue.

Recommendations For version 1.6.0.7, as a temporary workaround, consider restricting the use of the firmware update functionality until a patch is available. Avoid using malicious or unverified wup files in the firmware update process. Restrict access to the firmware update feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.