CVE-2019-5167

Name of the Vulnerable Software and Affected Versions WAGO PFC 200 version 03.02.02(14)

Description A command injection issue exists in the iocheckd service, specifically in the 'I/O-Check' function. This occurs when the dns value extracted from an XML file is used as an argument to the /etc/config-tools/edit dns server command, which is later executed via a call to system(). The command is executed in a loop, with no limit on the number of DNS entries parsed from the XML file.

Recommendations For WAGO PFC 200 version 03.02.02(14), consider restricting access to the iocheckd service until a patch is available. As a temporary workaround, avoid using the dns value from the XML file in the /etc/config-tools/edit dns server command to minimize the risk of exploitation.