CVE-2021-20997
📋 TL;DR
This vulnerability in WAGO managed switches allows attackers to read password hashes of all Web-based Management users. This affects organizations using vulnerable WAGO switch models, potentially exposing administrative credentials.
💻 Affected Systems
- WAGO managed switches (specific models not detailed in provided references)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain password hashes, crack them offline, gain administrative access to switches, and pivot to other network segments or disrupt critical infrastructure.
Likely Case
Attackers harvest password hashes, crack weak passwords, and gain unauthorized access to switch management interfaces for reconnaissance or configuration changes.
If Mitigated
With strong password policies and network segmentation, impact is limited to hash exposure without successful cracking or lateral movement.
🎯 Exploit Status
Hash readout appears to be unauthenticated based on CWE-522 (Insufficiently Protected Credentials), making exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in references; check vendor advisory for updated firmware versions.
Vendor Advisory: https://cert.vde.com/en-us/advisories/vde-2021-013
Restart Required: Yes
Instructions:
1. Check vendor advisory for patched firmware versions. 2. Download updated firmware from WAGO support. 3. Backup switch configuration. 4. Apply firmware update via management interface. 5. Restart switch to activate changes.
🔧 Temporary Workarounds
Restrict network access
allLimit access to switch management interfaces to trusted IPs only.
Configure firewall rules or ACLs to allow only specific source IPs to the management interface (e.g., on switch: set access-list to permit trusted IPs, deny all).
Disable Web-based Management if unused
allTurn off the vulnerable web interface if not required for operations.
On switch CLI: disable web-management or similar command (check vendor docs).
🧯 If You Can't Patch
- Enforce strong password policies (e.g., 12+ characters, complexity) to make hash cracking difficult.
- Monitor for unauthorized access attempts to switch management interfaces and review logs regularly.
🔍 How to Verify
Check if Vulnerable:
Test if password hashes can be retrieved via unauthenticated requests to the switch's web management endpoint (details not provided in references; consult vendor advisory).Check Version:
Check switch firmware version via web interface or CLI (e.g., 'show version' or similar vendor-specific command).Verify Fix Applied:
After patching, attempt to retrieve password hashes via the same method; successful patch should block access or return no data.📡 Detection & Monitoring
Log Indicators:
- Unusual access to password hash-related endpoints in web server logs.
- Multiple failed login attempts following hash retrieval.
Network Indicators:
- HTTP requests to switch management IPs targeting hash exposure paths.
- Traffic from untrusted sources to switch management ports.
SIEM Query:
Example: 'source_ip NOT IN trusted_networks AND dest_port=80 OR dest_port=443 AND url_path CONTAINS "hash" OR "password"'