DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • DevOps Chats
    • DevOps Unbound
  • Webinars
    • Upcoming
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Communities
    • AWS Community Hub
    • CloudBees
    • IT as Code
    • Rocket on DevOps.com
    • Traceable on DevOps.com
    • Quali on DevOps.com
  • Related Sites
    • Techstrong Group
    • Container Journal
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Digital Anarchist
  • Media Kit
  • About
  • AI
  • Cloud
  • Continuous Delivery
  • Continuous Testing
  • DevSecOps
  • Leadership Suite
  • Practices
  • ROELBOB
  • Low-Code/No-Code
  • IT as Code
  • More
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps

Home » Latest News Releases » Positive Technologies Identifies Vulnerabilities in WAGO Industrial Controller

Positive Technologies Identifies Vulnerabilities in WAGO Industrial Controller

By: Veronica Haggar on June 7, 2021 Leave a Comment

Attackers can access controller file system, cause a malfunction, and disrupt the technological process

Recent Posts By Veronica Haggar
  • DevOps Connect: DevSecOps — Building a Modern Cybersecurity Practice
  • Allego® Launches Allego 7 to Power Sales Enablement that Wins Sellers and Buyers
  • Starburst Acquires Varada To Deliver The New Standard Of Data Lake Analytics
More from Veronica Haggar
Related Posts
  • Positive Technologies Identifies Vulnerabilities in WAGO Industrial Controller
  • Positive Technologies finds 44 percent of web applications place users’ personal data at risk of theft
  • DevSecOps: Realities of Policy Management
    Related Categories
  • Latest News Releases
    Related Topics
  • Positive Technologies
Show more
Show less

Moscow, Russia, June 7, 2021 – Positive Technologies experts Vyacheslav Moskvin and Sergey Fedonin have revealed two vulnerabilities in the firmware of the WAGO 750-8207 industrial controller, one of critical severity. The 750 series controllers are used for building automation for renewable energy sources at numerous installations: transformer stations and other power distribution facilities, in the petrochemical industry, water supply and other public utilities, shipbuilding, marine and coastal structures, for mechanical engineering, and other fields. The manufacturer has released security updates and recommendations on ways to reduce the risk.

DevOps Connect:DevSecOps @ RSAC 2022

Vulnerability CVE-2021-21001 is in the CODESYS 2.3 runtime component that is part of the WAGO controller firmware. Exploitation of this vulnerability requires authorization and network access to the controller.

“WAGO gave this vulnerability a CVSS 3.0 score of 9.1,” said Vladimir Nazarov, Head of ICS Security, Positive Technologies. “By exploiting this vulnerability, attackers can access the controller file system with read and write rights. Changes in the PLC file system may cause disruption of technological processes and even lead to industrial accidents.”

The second vulnerability, CVE-2021-21000 (CVSS 3.0 score of 5.3), was found in the iocheckd service developed by WAGO. It is designed to check the inputs and outputs of the PLC, as well as to display the PLC configuration. To exploit the vulnerability, no authorization is required—it’s enough to have network access. Exploitation may cause a sudden shutdown of the controller, and in turn interrupt technological processes.

To fix the vulnerability, organizations are advised to follow the recommendations in WAGO’s notice. The exploitation of this error (for example, if an update cannot be installed) can be detected using solutions for continuous information security monitoring and ICS incident management, such as PT Industrial Security Incident Manager.

About Positive Technologies

Positive Technologies is a leading global provider of enterprise security solutions for vulnerability and compliance management, incident and threat analysis, and application protection. Commitment to clients and research has earned Positive Technologies a reputation as one of the foremost authorities on Industrial Control System, Banking, Telecom, Web Application, and ERP security, supported by recognition from the analyst community.

ptsecurity.com, facebook.com/PositiveTechnologies, facebook.com/PHDays.

Filed Under: Latest News Releases Tagged With: Positive Technologies

Sponsored Content
Featured eBook
The State of the CI/CD/ARA Market: Convergence

The State of the CI/CD/ARA Market: Convergence

The entire CI/CD/ARA market has been in flux almost since its inception. No sooner did we find a solution to a given problem than a better idea came along. The level of change has been intensified by increasing use, which has driven changes to underlying tools. Changes in infrastructure, such ... Read More
« Harris County Increases Safety and Efficiency in Nearly 150 Public Buildings with Honeywell Technology
Digital Customer Experiences: The Future is Modular »

TechStrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

Continuous Deployment
Monday, July 11, 2022 - 1:00 pm EDT
Using External Tables to Store and Query Data on MinIO With SQL Server 2022
Tuesday, July 12, 2022 - 11:00 am EDT
Goldilocks and the 3 Levels of Cardinality: Getting it Just Right
Tuesday, July 12, 2022 - 1:00 pm EDT

Latest from DevOps.com

Rust in Linux 5.20 | Deepfake Hiring Fraud | IBM WFH ‘New Normal’
June 30, 2022 | Richi Jennings
Moving From Lift-and-Shift to Cloud-Native
June 30, 2022 | Alexander Gallagher
The Two Types of Code Vulnerabilities
June 30, 2022 | Casey Bisson
Common RDS Misconfigurations DevSecOps Teams Should Know
June 29, 2022 | Gad Rosenthal
Quick! Define DevSecOps: Let’s Call it Development Security
June 29, 2022 | Don Macvittie

Get The Top Stories of the Week

  • View DevOps.com Privacy Policy
  • This field is for validation purposes and should be left unchanged.

Download Free eBook

The State of Open Source Vulnerabilities 2020
The State of Open Source Vulnerabilities 2020

Most Read on DevOps.com

Developer’s Guide to Web Application Security
June 24, 2022 | Anas Baig
What Is User Acceptance Testing and Why Is it so Important?
June 27, 2022 | Ron Stefanski
Chip-to-Cloud IoT: A Step Toward Web3
June 28, 2022 | Nahla Davies
DevOps Connect: DevSecOps — Building a Modern Cybersecurity ...
June 27, 2022 | Veronica Haggar
Quick! Define DevSecOps: Let’s Call it Development Security
June 29, 2022 | Don Macvittie

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2022 ·Techstrong Group, Inc.All rights reserved.