Wago addresses PLC vulnerabilities

SecurityWeek reports that four security flaws impacting programmable logic controllers by German industrial automation solutions provider Wago have been fixed in recently issued patches. Critical severity ratings were given to two of the addressed vulnerabilities, the first of which, tracked as CVE-2022-45138, could be leveraged to enable device parameter reading and setting to achieve complete device compromise. Moreover, threat actors could exploit the second critical bug, tracked as CVE-2022-45140, to facilitate arbitrary data writing with root privileges, which could lead to the execution of arbitrary code and total system compromise. Meanwhile, the other remediated flaws were given a medium-severity rating, one of which could be used in cross-site scripting attacks, while the other could be exploited for information disclosure attacks. "These bugs can be chained together and weaponized in two different ways: 1) direct network access (I.e. the adversary is within the ICS or is attacking an Internet-facing device) or 2) Via cross-origin web requests (I.e. the adversary lures somebody within the ICS into viewing their malicious website). Neither scenario requires any user-interaction (besides just visiting the site) or permissions. The chain is completely unauthenticated," said Ryan Pickren from the Georgia Institute of Technologys Cyber-Physical Security Lab, who discovered and reported all the vulnerabilities.