CVE-2022-3281 in PFC100
Summary
by MITRE • 10/17/2022
WAGO Series PFC100/PFC200, Series Touch Panel 600, Compact Controller CC100 and Edge Controller in multiple versions are prone to a loss of MAC-Address-Filtering after reboot. This may allow an remote attacker to circumvent the reach the network that should be protected by the MAC address filter.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 11/09/2022
The vulnerability identified as CVE-2022-3281 affects several WAGO industrial control devices including the PFC100/PFC200 series, Touch Panel 600, Compact Controller CC100, and Edge Controller across multiple firmware versions. This flaw represents a critical security weakness in network access control mechanisms that could potentially allow remote attackers to bypass network protection measures. The vulnerability specifically impacts the MAC address filtering functionality that is designed to restrict network access based on hardware MAC addresses, a common security practice in industrial environments where device authentication and network segmentation are paramount.
The technical flaw manifests as a failure in the device's security configuration persistence mechanism. During normal operation, these industrial controllers implement MAC address filtering to control which devices can communicate on the network segment. However, after a reboot event, the system fails to maintain the previously configured MAC address filtering rules, effectively disabling this security feature. This behavior creates a window of opportunity where unauthorized network access can occur during the brief period when the device is restarting and reinitializing its network configuration. The vulnerability is particularly concerning in industrial control environments where network security is critical for operational technology infrastructure.
From an operational impact perspective, this vulnerability compromises the integrity of network access controls in industrial settings where these devices are commonly deployed. The loss of MAC address filtering after reboot exposes the network to potential unauthorized access, which could lead to man-in-the-middle attacks, network disruption, or even compromise of critical industrial processes. The remote attack vector means that adversaries do not require physical access to the devices, making this vulnerability particularly dangerous in environments where physical security measures may be insufficient. This weakness undermines the security posture of industrial networks and could potentially allow attackers to escalate privileges or gain access to sensitive operational data.
The vulnerability aligns with CWE-284, which addresses improper access control, and could be categorized under ATT&CK technique T1071.004 for application layer protocol usage. The affected devices typically operate in environments where network segmentation and access control are fundamental security requirements. Organizations should implement immediate mitigations including network segmentation, monitoring for unauthorized network access during device reboots, and applying vendor-provided firmware updates when available. Additional defensive measures may include implementing network access control lists at the switch level, monitoring for anomalous network traffic patterns, and establishing procedures to minimize the frequency of device reboots in critical operational environments. The vulnerability highlights the importance of proper security configuration persistence in industrial control systems and underscores the need for comprehensive security testing of network access control mechanisms in operational technology environments.