CVE-2019-5158: 
WAGO e!COCKPIT vulnerability analysis and mitigation

A firmware downgrade vulnerability (CVE-2019-5158) was discovered in WAGO e!COCKPIT automation software v1.6.1.5. The vulnerability exists in the firmware update package functionality, where a specially crafted firmware update file can allow an attacker to install an older firmware version while misleading users about the version being installed (Talos Report).

The vulnerability stems from improper input validation in the firmware update mechanism. The e!COCKPIT software uses wup (WAGO update package) files for firmware updates, which consist of a zip archive that can be optionally encrypted with ZipCrypto using hard-coded credentials. The package contains a control file (package-info.xml) that specifies firmware metadata including Revision and ReleaseIndex. The vulnerability has a CVSS v3.0 score of 8.6 (HIGH) with vector CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (Talos Report).

An attacker could exploit this vulnerability by preparing a malicious wup file using hard-coded credentials to extract and repackage legitimate WAGO firmware with modified metadata. For example, while the wup file contains firmware version 12, the metadata could indicate version 15, leading users to believe they're installing a newer version. This could enable attackers to exploit known vulnerabilities in older firmware versions to gain unauthorized access to the device (Talos Report).

The vulnerability was disclosed to the vendor on October 31, 2019, and the vendor acknowledged it and passed it to CERT@VDE for coordination. The disclosure deadline was extended following discussions with the vendor on January 28, 2020, leading to a public release on March 9, 2020 (Talos Report).