WAGO Series 750-88x and 750-87x Use of Hard-Coded Credentials (CVE-2019-10712)

critical Tenable OT Security Plugin ID 500836

Synopsis

The remote OT asset is affected by a vulnerability.

Description

The Web-GUI on WAGO Series 750-88x (750-330, 750-352, 750-829, 750-831, 750-852, 750-880, 750-881, 750-882, 750-884, 750-885, 750-889) and Series 750-87x (750-830, 750-849, 750-871, 750-872, 750-873) devices has undocumented service access.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

WAGO released a security advisory available at:https://www.wago.com/de/download/public/Sicherheitshinweis-SA- SYS-2019-001/SA-SYS-2019-001.pdf

WAGO recommends updating to the newest firmware as listed above and taking the following defensive measures:

- Restrict network access to the web server.
- Restrict network access to the device.
- Do not directly connect the device to the Internet.

CERT@VDE has published an advisory regarding this vulnerability at the following location:

https://cert.vde.com/en-us/advisories/vde-2019-008

See Also

http://www.nessus.org/u?048bd3b9

https://cert.vde.com/de-de/advisories/vde-2019-008

http://www.securityfocus.com/bid/108482

http://www.nessus.org/u?51f00a97

http://www.nessus.org/u?2f90ce40

http://www.nessus.org/u?b6042853

http://www.nessus.org/u?c8257f55

http://www.nessus.org/u?18314046

http://www.nessus.org/u?1cc44fa1

https://www.cisa.gov/news-events/ics-advisories/icsa-19-106-02

Plugin Details

Severity: Critical

ID: 500836

Version: 1.7

Type: remote

Family: Tenable.ot

Published: 2/17/2023

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-10712

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:wago:750-330_firmware, cpe:/o:wago:750-829_firmware, cpe:/o:wago:750-352_firmware, cpe:/o:wago:750-852_firmware, cpe:/o:wago:750-872_firmware, cpe:/o:wago:750-884_firmware, cpe:/o:wago:750-873_firmware, cpe:/o:wago:750-880_firmware, cpe:/o:wago:750-830_firmware, cpe:/o:wago:750-831_firmware, cpe:/o:wago:750-889_firmware, cpe:/o:wago:750-871_firmware, cpe:/o:wago:750-849_firmware, cpe:/o:wago:750-885_firmware, cpe:/o:wago:750-882_firmware, cpe:/o:wago:750-881_firmware

Required KB Items: Tenable.ot/Wago

Exploit Ease: No known exploits are available

Patch Publication Date: 5/7/2019

Vulnerability Publication Date: 5/7/2019

Reference Information

CVE: CVE-2019-10712

CWE: 798

ICSA: 19-106-02