CVE-2019-5180 – This is a stack buffer overflow vulnerability i... (How to Fix)

Q: What is the severity of CVE-2019-5180?

CVE-2019-5180 has a CVSS score of 7.8 (HIGH). This is a stack buffer overflow vulnerability in the iocheckd service of WAGO PFC 200 industrial controllers. An attacker can send specially crafted packets to trigger the overflow, potentially leading to service crashes or remote code execution. Organizations using WAGO PFC 200 Firmware version 03.02.02(14) are affected.

📋 TL;DR

This is a stack buffer overflow vulnerability in the iocheckd service of WAGO PFC 200 industrial controllers. An attacker can send specially crafted packets to trigger the overflow, potentially leading to service crashes or remote code execution. Organizations using WAGO PFC 200 Firmware version 03.02.02(14) are affected.

💻 Affected Systems

Products:

WAGO PFC 200

Versions: Firmware version 03.02.02(14)

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The iocheckd service runs by default on affected firmware versions.

📦 What is this software?

Pfc200 Firmware by Wago

View all CVEs affecting Pfc200 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root privileges, allowing complete compromise of the industrial controller and potential lateral movement to other systems.

🟠

Likely Case

Service crash causing denial of service to the industrial controller, disrupting industrial processes and operations.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent attackers from reaching the vulnerable service.

🌐 Internet-Facing: HIGH - Industrial controllers exposed to the internet are directly vulnerable to remote exploitation.

🏢 Internal Only: MEDIUM - Requires network access to the controller, but internal attackers or compromised systems could exploit it.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires sending a specially crafted packet to the iocheckd service, which is well-documented in the Talos report.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check WAGO security advisories for updated firmware versions

Vendor Advisory: https://www.wago.com/global/industrial-security/security-advisories

Restart Required: Yes

Instructions:

1. Check WAGO security advisories for patch availability. 2. Download updated firmware from WAGO support portal. 3. Apply firmware update following WAGO documentation. 4. Restart the controller to activate the patch.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate WAGO PFC 200 controllers in separate network segments with strict firewall rules.

Service Disablement

linux

Disable the iocheckd service if not required for operations (may impact functionality).

systemctl stop iocheckd
systemctl disable iocheckd

🧯 If You Can't Patch

Implement strict network access controls to limit connections to the iocheckd service (port 6626 by default).
Monitor network traffic for anomalous packets targeting the iocheckd service and implement intrusion detection rules.

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface or SSH: cat /etc/version_info | grep '03.02.02(14)'

Check Version:

cat /etc/version_info

Verify Fix Applied:

Verify firmware version is updated beyond 03.02.02(14) and test that iocheckd service no longer crashes with malformed packets.

📡 Detection & Monitoring

Log Indicators:

iocheckd service crash logs in /var/log/messages
Segmentation fault errors related to iocheckd

Network Indicators:

Unusual traffic to port 6626 (default iocheckd port)
Packets with long ip parameter values (>1024 bytes)

SIEM Query:

source="*messages*" AND "iocheckd" AND ("segmentation fault" OR "crash")

📊 Metadata

CVE ID: CVE-2019-5180

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: March 12, 2020

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0963 Exploit,Technical Description,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0963 Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-5180, you might also want to check these: