CVE-2023-1698 – This critical vulnerability in WAGO products al... (How to Fix)

Q: What is the severity of CVE-2023-1698?

CVE-2023-1698 has a CVSS score of 9.8 (CRITICAL). This critical vulnerability in WAGO products allows unauthenticated remote attackers to create new user accounts and modify device configurations. This can lead to denial of service, system compromise, and unauthorized control of affected devices. Organizations using vulnerable WAGO industrial control systems are affected.

📋 TL;DR

This critical vulnerability in WAGO products allows unauthenticated remote attackers to create new user accounts and modify device configurations. This can lead to denial of service, system compromise, and unauthorized control of affected devices. Organizations using vulnerable WAGO industrial control systems are affected.

💻 Affected Systems

Products:

WAGO PFC100
WAGO PFC200
WAGO Touch Panel 600

Versions: Firmware versions prior to specific security updates (check vendor advisory for exact versions)

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to take complete control of industrial devices, disrupt operations, manipulate processes, and potentially cause physical damage or safety incidents.

🟠

Likely Case

Unauthorized configuration changes leading to service disruption, data manipulation, and creation of persistent backdoor accounts for future attacks.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external attackers from reaching vulnerable interfaces.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation makes internet-exposed devices extremely vulnerable to automated attacks.

🏢 Internal Only: HIGH - Even internally, unauthenticated access allows any network user to compromise devices and potentially pivot to other systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and minimal technical skill to exploit, making it highly attractive to attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific firmware versions

Vendor Advisory: https://cert.vde.com/en/advisories/VDE-2023-007/

Restart Required: Yes

Instructions:

1. Identify affected WAGO devices. 2. Download latest firmware from WAGO support portal. 3. Backup current configuration. 4. Apply firmware update following vendor instructions. 5. Verify update success and restore configuration if needed.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate WAGO devices from untrusted networks and restrict access to management interfaces

Access Control Lists

linux

Implement firewall rules to restrict access to WAGO device management ports

iptables -A INPUT -p tcp --dport [WAGO_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [WAGO_PORT] -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable devices from untrusted networks
Deploy intrusion detection systems to monitor for exploitation attempts and configuration changes

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against vendor advisory. Attempt to access management interface without authentication to test for vulnerability.

Check Version:

Check via WAGO web interface or use vendor-specific CLI commands for firmware version

Verify Fix Applied:

Verify firmware version matches patched version from vendor advisory. Test that unauthenticated access to user creation and configuration functions is blocked.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access attempts to administrative interfaces
Unexpected user account creation
Configuration changes from unknown sources

Network Indicators:

Unusual traffic patterns to WAGO management ports
Multiple failed authentication attempts followed by successful access

SIEM Query:

source="WAGO_DEVICE" AND (event_type="user_creation" OR event_type="config_change") AND user="unknown"

📊 Metadata

CVE ID: CVE-2023-1698

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: May 15, 2023

Last Updated: November 21, 2024

🔗 References

https://cert.vde.com/en/advisories/VDE-2023-007/ Third Party Advisory
https://cert.vde.com/en/advisories/VDE-2023-007/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-1698, you might also want to check these: