CVE-2019-5106: 
WAGO e!COCKPIT vulnerability analysis and mitigation

A hard-coded encryption key vulnerability exists in the authentication functionality of WAGO e!Cockpit version 1.5.1.1. The vulnerability was discovered by Carl Hurd of Cisco Talos and was publicly disclosed on March 9, 2020. This security flaw affects the authentication mechanism between e!Cockpit and CoDeSyS Gateway (Talos Report).

The vulnerability stems from a hard-coded 32-byte key used in XOR encryption with a four-byte challenge that is incorrectly implemented. Due to a coding error, the four-byte challenge is reduced to a single byte perturbance every four bytes within the password. The challenge is included in all authentication packets, making it trivial to recover the plaintext password of any user attempting to log in. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

An attacker with access to communications between e!Cockpit and CoDeSyS Gateway can intercept authentication packets and easily recover the plaintext passwords of users attempting to log in. This compromises the confidentiality of user credentials, potentially leading to unauthorized access to industrial control systems (Talos Report).

The vulnerability was disclosed to the vendor on September 19, 2019, and was coordinated through CERT@VDE. The disclosure timeline included multiple extensions and discussions with the vendor through January 2020 (Talos Report).