Talos Vulnerability Report

TALOS-2019-0898

WAGO e!Cockpit authentication hard-coded encryption key vulnerability

March 9, 2019

CVE Number

CVE-2019-5106

Summary

A hard-coded encryption key vulnerability exists in the authentication functionality of WAGO e!Cockpit, version 1.5.1.1. An attacker with access to communications between e!Cockpit and CoDeSyS Gateway can trivially recover the password of any user attempting to log in, in plain text.

Tested Versions

WAGO e!Cockpit 1.5.1.1

Product URLs

https://www.wago.com/us/ecockpit-engineering-software

CVSSv3 Score

6.2 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

Details

e!Cockpit is programming software provided by WAGO for working with various product lines produced by WAGO. This software is used to write IEC-61131-3 specified language which can then be compiled for a programmable logic controller to run. This software is required to be able to communicate with these devices, and it can be found in any industrial controller environment.

The hard coded 32-byte key is used to XOR the plaintext password, with a four-byte challenge that is incorrectly implemented. This four-byte challenge is included in all authentication packets, and due to a coding error, is reduced to a single byte perturbance every four bytes within the password. Any authentication packet that is captured can easily be used to recover the plaintext password of the user.

if (this._dwChallenge != 0u && this._cryptType == CryptType.XOR)
{
     int num = 0;
     int num2 = 0;
     char[] array = "zeDR96EfU#27vuph7Thub?phaDr*rUbR".ToCharArray();
     char[] array2 = this._stPassword.ToCharArray();
     uint num3 = (uint)(array2.Length + 1);
     if (num3 < 32u)
     {
          num3 = 32u;
     }
     if (num3 % 4u != 0u)
     {
          num3 += 4u - num3 % 4u;
     }
     byte[] array3 = new byte[num3];
     char[] array4 = new char[]
     {
          (char)(this._dwChallenge & 255u),
          (char)(this._dwChallenge << 8 & 65280u),
          (char)(this._dwChallenge << 16 & 16711680u),
          (char)(this._dwChallenge << 24 & 4278190080u)
     };
     int num4 = 0;
     while ((long)num4 < (long)((ulong)num3))
     {
          char c = array[num];
          char c2 = '\0';
          if (num4 < array2.Length)
          {
               c2 = array2[num4];
          }
          array3[num4] = (byte)(c2 ^ c + array4[num2]);
          num++;
          if (num == array.Length)
          {
               num = 0;
          }
          num2++;
          if (num2 == 4)
          {
               num2 = 0;
          }
          num4++;
     }
     complexNodeWriter.AddDataTag(17, ContentAlignment.Align40).Write(array3);
}

Timeline

2019-09-19 - Vendor Disclosure
2019-10-31 - Vendor passed to CERT@VDE for coordination/handling
2019-12-16 - Disclosure deadline extended
2020-01-28 - Talos discussion about vulnerabilities with Vendor
2020-03-09 - Public Release

Credit

Discovered by Carl Hurd of Cisco Talos.

TALOS-2019-0951

TALOS-2019-0773

Intelligence Center

Vulnerability Research

Security Resources

Media

Company