CVE-2021-34569 In WAGO I/O-Check Service, an attacker can crash the diagnostic tool and write memory.
The following commands can cause the memory leak: shutdown -h now - This command can crash WAGO I/O-Check Service if sent in multiple products.
kill -9 - This command can crash WAGO I/O-Check Service if sent in multiple products.
Some of the WAGO products use a file system agent that allows you to create a virtual disk or device. To create a virtual disk or device in WAGO products, you can send a specially crafted packet containing OS commands to write memory.
The following commands can cause the memory leak: Some of the WAGO products use a file system agent that allows you to create a virtual disk or device. To create a virtual disk or device in WAGO products, you can send a specially crafted packet containing OS commands to write memory.
To stop the WAGO I/O-Check Service, you can directly send a packet containing OS commands to crash the diagnostic tool.
WAGO I/O-Check Service does not implement any authorization mechanism and does not block any type of communication. Therefore, an attacker can send a specially crafted packet to start any other diagnostic tool on the same port.
WAGO I/O-Check Service does not implement any authorization mechanism and does not block any type of communication. Therefore, an attacker can send a specially crafted packet to start any other diagnostic tool on the same port.
It is important to note
Weaknesses in WAGO I/O-Check Service
WAGO I/O-Check Service has a number of weaknesses. One weakness is the fact that it does not implement any authorization mechanism and doesn't block any type of communication. This means an attacker can send a specially crafted packet to start any other diagnostic tool on the same port. Another weakness is that WAGO I/O-Check Service does not check for malicious payloads in packets and doesn't block them either.
WAGO I/O-Check Service can be exploited by a local unprivileged user?
Yes, the diagnostic tool can be exploited by local unprivileged users.
Timeline
Published on: 11/09/2022 16:15:00 UTC
Last modified on: 11/09/2022 16:32:00 UTC