CVE-2019-5168

Name of the Vulnerable Software and Affected Versions WAGO PFC 200 version 03.02.02(14)

Description A command injection issue exists in the iocheckd service, specifically in the 'I/O-Check' function. This is due to the use of user-input data from an XML cache file in a system command. An attacker can craft a special XML cache file to inject commands. The domainname value from the XML file is used in the /etc/config-tools/edit dns server command with domain-name=<contents of domainname node>, which is executed via system().

Recommendations For WAGO PFC 200 version 03.02.02(14), as a temporary workaround, consider restricting access to the iocheckd service to minimize the risk of exploitation. Avoid using the domainname value from untrusted XML files in the /etc/config-tools/edit dns server command until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.