CVE-2019-5159: 
WAGO e!COCKPIT vulnerability analysis and mitigation

An improper input validation vulnerability (CVE-2019-5159) was discovered in the firmware update functionality of WAGO e!COCKPIT automation software version 1.6.0.7. The vulnerability was discovered by Kelly Leuschner of Cisco Talos and publicly disclosed on March 9, 2020. WAGO e!COCKPIT is an automation software used for programming, visualization, and diagnostics of WAGO's programmable logic controllers (PLCs) that are deployed across various industries including automotive, rail, power engineering, manufacturing, and building management (Talos Report).

The vulnerability exists in the firmware update mechanism that processes WAGO update package (wup) files. The wup file format consists of a zip archive that can be optionally encrypted with ZipCrypto using a hard-coded password. Each directory in the archive contains a control file (package-info.xml) that specifies firmware information and lists files to be written to the device. The vulnerability stems from insufficient validation of the TargetPath property in the XML nodes, allowing arbitrary file paths. The CVSS v3.0 score is 8.6 (High) with the vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (Talos Report).

A successful exploitation of this vulnerability could allow an attacker to write arbitrary files to arbitrary locations on WAGO controllers during a firmware update process. This could potentially result in code execution with the privileges of the credentials used for the update process. The files are written with global read permissions, and if a file already exists, it retains its original permissions (Talos Report).

Users should execute firmware updates via e!COCKPIT using administrator credentials rather than root for the controller. This mitigation strategy restricts the writable locations on the device to only those writable by the admin user, reducing the potential impact of the vulnerability (Talos Report).