CVE-2019-5167

Published: Mar 10, 2020

Modified: Aug 4, 2024

PUBLISHED

Description

An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 version 03.02.02(14). At 0x1e3f0 the extracted dns value from the xml file is used as an argument to /etc/config-tools/edit_dns_server %s dns-server-nr=%d dns-server-name=<contents of dns node> using sprintf(). This command is later executed via a call to system(). This is done in a loop and there is no limit to how many dns entries will be parsed from the xml file.

Vendor	Product	Versions
Wago	WAGO PFC200 Firmware	affected `version 03.02.02(14)`

References

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2019-5167

Description

Affected Products

References