Kaspersky ICS CERT researchers have discovered several vulnerabilities in a popular framework used for developing industrial devices such as programmable logic controllers (PLC) and Human-Machine Interface (HMI). These devices are at the heart of almost any automated industrial facility – from critical infrastructure to production processes. The uncovered vulnerabilities potentially allowed an attacker to conduct covert destructive remote and local attacks on the organization where PLCs developed through this vulnerable framework are used. The framework was developed by CODESYS® and the vulnerabilities were fixed by the vendor following a report from Kaspersky.
PLCs are devices that automate processes that previously had to be performed manually or with help of complex electro-mechanical devices. In order to make a PLC work correctly, these devices should be programmed. This programming is done via a special software framework that helps engineers to code and upload process automation program instructions into PLC. This also provides a runtime execution environment for the PLC program code. This software is used across various environments, including production, energy generation, smart city infrastructures and many more. As Kaspersky researchers discovered, such software could become vulnerable and interfered with.
The researchers investigated a sophisticated and powerful tool designed for developing and controlling PLC programs. As a result, they were able to identify more than a dozen security issues in the main network protocol of the framework and the framework runtime, four of which were recognized as particularly serious and were assigned with separate IDs: CVE-2018-10612, CVE-2018-20026, CVE-2019-9013, and CVE-2018-20025.
Depending on which of these flaws is exploited, an attacker would be able to intercept and forge network command and telemetry data flaws, steal and reuse passwords and other authentication information, inject malicious code into runtime and elevate the attacker’s privileges in the system as well as other unauthorized actions — all effectively hiding their presence in the attacked network. In practice this means that an attacker would be able to either corrupt the functionality of PLCs at a particular facility or get full control over it, whilst staying under the radar of the operation technology (OT) personnel of the attacked facility. They could then disrupt operations or to steal sensitive data, such as intellectual properties and other confidential information, like factory production capabilities or new products in production. This is in addition to being able to oversee the operations of the facility and gather other intelligence that may be considered sensitive in the attacked organization.
Upon discovery, Kaspersky immediately reported these issues to the vendor of the affected software. All reported vulnerabilities are now fixed, and patches are available for framework users.
“The vulnerabilities we’ve discovered were providing an extremely wide attack surface for potentially malicious behavior and, given how widespread the software in question is, we are grateful to the software vendor for their prompt response and ability to swiftly fix these issues. We would like to think that as a result of this research we were able to make the job for attackers significantly harder. However, many of these vulnerabilities would have been discovered earlier, if the security community were involved in the development of network communication protocol at earlier stages. We believe collaboration with the security community should become good practice for developers of important components for industrial systems – including both hardware and software. Especially given that so-called Industry 4.0 which in large part based on the modern automated technologies is around the corner,” comments Alexander Nochvay, security researcher at Kaspersky ICS CERT.
"Product security is of utmost importance to the CODESYS Group. We therefore appreciate the comprehensive research results provided by Kaspersky – they help us to make CODESYS even securer. For many years now, we have been investing considerable technical and administrative efforts to permanently improve the security features of CODESYS. All detected vulnerabilities are immediately investigated, assessed, prioritized and published in a security advisory. Fixes in form of software updates are promptly developed and immediately made available to all CODESYS users in the CODESYS Store," - said Roland Wagner, Head of Product Marketing at CODESYS Group
To address the potential risks that exploitation of the reported issues brings, Kaspersky specialists advise the following measures:
- Developers that use the framework are advised to request the updated version and subsequently update firmware for devices if they were created with help of this framework
- Industrial engineers are advised to consider updating the firmware on their devices with respect to their enterprise’s patch management procedures if the device was created with help of this framework and if the developer of device-issued relevant update for its product
- Devices, where development environments and/or SCADA are deployed, should be equipped with relevant protection
- Devices used in industrial environments should work on an isolated, limited network.
- Until firmware patches are applied, security teams guarding industrial networks should consider deploying specific measures, such as targeted attack detection solutions, industrial network monitoring, delivering regular IT and OT staff security training and other security measures necessary to protect against sophisticated threats