CVE-2019-5178 – This is a stack buffer overflow vulnerability i... (How to Fix)

Q: What is the severity of CVE-2019-5178?

CVE-2019-5178 has a CVSS score of 7.8 (HIGH). This is a stack buffer overflow vulnerability in the iocheckd service of WAGO PFC 200 industrial controllers. An attacker can send specially crafted packets to crash the service or potentially execute arbitrary code. This affects organizations using WAGO PFC 200 Firmware version 03.02.02(14) in industrial control systems.

📋 TL;DR

This is a stack buffer overflow vulnerability in the iocheckd service of WAGO PFC 200 industrial controllers. An attacker can send specially crafted packets to crash the service or potentially execute arbitrary code. This affects organizations using WAGO PFC 200 Firmware version 03.02.02(14) in industrial control systems.

💻 Affected Systems

Products:

WAGO PFC 200

Versions: Firmware version 03.02.02(14)

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The iocheckd service runs by default on affected firmware versions.

📦 What is this software?

Pfc200 Firmware by Wago

View all CVEs affecting Pfc200 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, disruption of industrial processes, or lateral movement within OT networks.

🟠

Likely Case

Service crash causing denial of service to the I/O-Check functionality, potentially disrupting industrial operations.

🟢

If Mitigated

Limited impact if network segmentation prevents access to the vulnerable service from untrusted networks.

🌐 Internet-Facing: HIGH if devices are directly exposed to the internet, as the exploit is unauthenticated.

🏢 Internal Only: MEDIUM to HIGH depending on network segmentation and attacker access to internal networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is well-documented with proof-of-concept details available in the Talos report. Exploitation requires sending a specially crafted packet to the iocheckd service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later firmware versions (check WAGO advisory)

Vendor Advisory: https://www.wago.com/global/industrial-security/security-advisory

Restart Required: Yes

Instructions:

1. Check WAGO security advisory for specific patched version. 2. Backup configuration. 3. Download updated firmware from WAGO. 4. Apply firmware update following vendor instructions. 5. Reboot device.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate WAGO PFC 200 devices from untrusted networks using firewalls or VLANs.

Service Disablement

linux

Disable the iocheckd service if not required for operations.

ssh into device and run: systemctl stop iocheckd
systemctl disable iocheckd

🧯 If You Can't Patch

Implement strict network access controls to limit connections to the iocheckd service (default port 6626).
Monitor for crash logs of the iocheckd service and network traffic patterns indicating exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface or SSH: cat /etc/version_info | grep Firmware

Check Version:

cat /etc/version_info | grep Firmware

Verify Fix Applied:

Verify firmware version is updated beyond 03.02.02(14) and iocheckd service is either patched or disabled.

📡 Detection & Monitoring

Log Indicators:

iocheckd service crash logs
unexpected process termination

Network Indicators:

Unusual traffic to port 6626
Packets with long hostname fields (>1024 bytes)

SIEM Query:

source="wago_logs" AND (process="iocheckd" AND event="crash") OR (dest_port=6626 AND packet_size>1100)

📊 Metadata

CVE ID: CVE-2019-5178

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: March 12, 2020

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0963 Exploit,Technical Description,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0963 Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-5178, you might also want to check these: