CVE-2019-5078

EUVD-2019-14683

18.12.2019, 21:15

An exploitable denial of service vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC200 Firmware versions 03.01.07(13) and 03.00.39(12), and WAGO PFC100 Firmware version 03.00.39(12). A specially crafted set of packets can cause a denial of service, resulting in the device entering an error state where it ceases all network communications. An attacker can send unauthenticated packets to trigger this vulnerability.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.1 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 70%

Affected Products (NVD)

Vendor	Product	Version
wago	pfc_200_firmware	03.00.39\(12\)
wago	pfc_200_firmware	03.01.07\(13\)
wago	pfc_100_firmware	03.00.39\(12\)

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-306 - Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0870