OT:Icefall: Vulnerabilities Identified in Wago Controllers

Forescout Technologies has disclosed the details of three vulnerabilities impacting operational technology (OT) products from Wago and Schneider Electric.

The flaws were identified as part of the OT:Icefall research that has led to the public disclosure of 61 vulnerabilities impacting more than 100 OT products from 13 vendors.

After an initial set of 56 vulnerabilities disclosed in June 2022, Forescout shared the details of three more flaws in November 2022, and is now adding two new bugs to the list, while also sharing information on a previously identified but not disclosed issue.

Tracked as CVE-2023-1619 and CVE-2023-1620, the new vulnerabilities impact Wago 750 controllers using the Codesys v2 runtime and could be exploited by an authenticated attacker to cause a denial-of-service (DoS) condition, Forescout says.

The first issue is the result of a poor implementation of protocol parsers, while the second is an insufficient session expiration bug. The two flaws can be exploited by an authenticated attacker to crash a device, by sending a malformed packet or specific requests after being logged out, respectively.

Returning the device to the operating state requires a manual reboot in both cases, Forescout explains.

Used in commercial facilities, energy, manufacturing, and transport, Wago 750 automation controllers support a variety of protocols, including BACnet/IP, CANopen, DeviceNet Ethernet/IP, KNX, LonWorks, Modbus, and PROFIBUS.

Forescout also shared details on a high-severity vulnerability in Schneider Electric ION and PowerLogic product lines, which was identified in the first set of OT:Icefall bugs, but not made public at the request of the vendor.

Tracked as CVE-2022-46680, the issue impacts the power meters’ ION/TCP protocol implementation, which transmits a user ID and password in plaintext with every message, thus exposing them to an attacker that can passively intercept traffic.

“An attacker who obtains ION or PowerLogic credentials can authenticate to the ION/TCP engineering interface as well as SSH and HTTP interfaces to change energy monitor configuration settings and potentially modify firmware. If the credentials in question are (re)used for other applications, their compromise could potentially facilitate lateral movement,” Forescout explains.

These devices should not be accessible from the internet, but Forescout says it has identified between 2,000 and 4,000 potentially unique devices that are exposed online.

Most of the identified Wago controllers have the HTTP protocol exposed, while the Schneider Electric meters expose the Telnet protocol. Wago devices are highly popular in Europe (mainly in Germany, Turkey and France), while ION meters are popular in North America.

Concluding the one-year OT:Icefall research, Forescout notes that it has identified several instances of incomplete patches, including some that originate in software supply-chain components that led to new vulnerabilities.

With advisories issued for most of the discovered flaws (except for bugs in Emerson’s Ovation distributed control system), vendor response to OT:Icefall was good, especially if compared to the 2021 Project Memoria research that identified roughly 100 vulnerabilities in TCP/IP stacks, for which only 22.5% of the impacted vendors have issued advisories.

Related: Ripple20: Flaws in Treck TCP/IP Stack Expose Millions of IoT Devices to Attacks

Related: ‘AMNESIA:33’ Vulnerabilities in TCP/IP Stacks Expose Millions of Devices to Attacks

Related: Vulnerabilities in TCP/IP Stacks Allow for TCP Connection Hijacking, Spoofing