CVE-2019-5149 in PFC100
Summary
by MITRE
The WBM web application on firmwares prior to 03.02.02 and 03.01.07 on the WAGO PFC100 and PFC2000, respectively, runs on a lighttpd web server and makes use of the FastCGI module, which is intended to provide high performance for all Internet applications without the penalties of Web server APIs. However, the default configuration of this module appears to limit the number of concurrent php-cgi processes to two, which can be abused to cause a denial of service of the entire web server. This affects WAGO PFC200 Firmware version 03.00.39(12) and version 03.01.07(13), and WAGO PFC100 Firmware version 03.00.39(12) and version 03.02.02(14).
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/13/2024
The vulnerability identified as CVE-2019-5149 represents a critical denial of service weakness in WAGO PFC100 and PFC200 industrial control devices. These programmable function controllers operate in industrial environments where reliable network connectivity and web server functionality are paramount for system management and monitoring. The affected devices run firmware versions prior to 03.02.02 for PFC100 and 03.01.07 for PFC2000, which utilize the lighttpd web server implementation with FastCGI module support. This configuration, while designed to optimize performance for internet applications, introduces a fundamental limitation in process management that creates exploitable conditions for service disruption.
The technical flaw manifests through the default FastCGI module configuration which restricts concurrent php-cgi processes to a maximum of two. This limitation becomes problematic when malicious actors or unauthorized users exploit the web server's response handling capabilities by initiating multiple simultaneous requests that consume the available FastCGI processes. The constrained process pool creates a scenario where legitimate web server operations cannot proceed due to resource exhaustion, effectively rendering the entire web interface unavailable to authorized users. This behavior aligns with CWE-400 vulnerability classification related to resource exhaustion and represents a classic denial of service vector that leverages application-level process management limitations.
The operational impact of this vulnerability extends beyond simple service interruption as it affects industrial control systems where web-based management interfaces are critical for device configuration, monitoring, and maintenance activities. When the web server becomes unavailable, system administrators lose access to essential management functions, potentially leading to extended downtime for industrial processes. The vulnerability affects specific firmware versions including WAGO PFC200 Firmware version 03.00.39(12) and version 03.01.07(13), and WAGO PFC100 Firmware version 03.00.39(12) and version 03.02.02(14), indicating that the issue is not universal across all device versions but specifically targets older firmware implementations. This creates a targeted attack surface where adversaries can systematically identify and exploit vulnerable industrial control systems within network environments.
Security professionals should note that this vulnerability maps to several ATT&CK tactics including TA0040 (Resource Hijacking) and TA0006 (Credential Access) through the exploitation of web server resources. The attack vector primarily involves sending multiple concurrent requests to the web server, which consumes the limited FastCGI process pool and causes service disruption. Mitigation strategies should include firmware updates to versions 03.02.02 for PFC100 and 03.01.07 for PFC2000, which address the process limitation configuration. Additionally, network segmentation and access control measures can reduce the attack surface by limiting unauthorized access to the web management interfaces. The vulnerability demonstrates the importance of proper resource management in embedded systems and highlights how seemingly minor configuration limitations can create significant operational risks in industrial environments where reliability is essential.