Kaspersky ICS CERT researchers have discovered several vulnerabilities in a popular framework used for developing industrial devices such as programmable logic controllers (PLC) and human-machine interface (HMI).
These devices are at the heart of almost any automated industrial facility – from critical infrastructure to production processes. The uncovered vulnerabilities potentially allowed an attacker to conduct covert destructive remote and local attacks on the organisation where PLCs developed through this vulnerable framework are used.
The framework was developed by Codesys, and the vulnerabilities were fixed by the vendor following a report from Kaspersky.
PLCs are devices that automate processes that previously had to be performed manually or with help of complex electro-mechanical devices. In order to make a PLC work correctly, these devices should be programmed. This programming is done via a special software framework that helps engineers to code and upload process automation programme instructions into PLC. This also provides a runtime execution environment for the PLC programme code.
This software is used across various environments, including production, energy generation, smart city infrastructures and many more. As Kaspersky researchers discovered, such software could become vulnerable and interfered with.
The researchers investigated a sophisticated and powerful tool designed for developing and controlling PLC programs. As a result, they were able to identify more than a dozen security issues in the main network protocol of the framework and the framework runtime, four of which were recognised as particularly serious and were assigned with separate IDs: CVE-2018-10612, CVE-2018-20026, CVE-2019-9013, and CVE-2018-20025.
Depending on which of these flaws is exploited, an attacker would be able to intercept and forge network command and telemetry data flaws, steal and reuse passwords and other authentication information, inject malicious code into runtime and elevate the attacker’s privileges in the system as well as other unauthorised actions — all effectively hiding their presence in the attacked network.
In practice this means that an attacker would be able to either corrupt the functionality of PLCs at a particular facility or get full control over it, whilst staying under the radar of the operation technology (OT) personnel of the attacked facility. They could then disrupt operations or to steal sensitive data, such as intellectual properties and other confidential information, like factory production capabilities or new products in production.
This is in addition to being able to oversee the operations of the facility and gather other intelligence that may be considered sensitive in the attacked organisation.
Upon discovery, Kaspersky reported the issues to the vendor of the affected software. All reported vulnerabilities are now fixed, and patches are available for framework users.
“The vulnerabilities we discovered were providing an extremely wide attack surface for potentially malicious behaviour and, given how widespread the software in question is, we are grateful to the software vendor for their prompt response and ability to swiftly fix these issues,” comments Alexander Nochvay, security researcher at Kaspersky ICS CERT. “We would like to think that as a result of this research we were able to make the job for attackers significantly harder. However, many of these vulnerabilities would have been discovered earlier, if the security community were involved in the development of network communication protocol at earlier stages.
“We believe collaboration with the security community should become good practice for developers of important components for industrial systems – including both hardware and software. Especially given that so-called Industry 4.0 which in large part based on the modern automated technologies is around the corner.”
Roland Wagner, head of product marketing at Codesys Group, adds: “Product security is of utmost importance to the Codesys Group. We therefore appreciate the comprehensive research results provided by Kaspersky – they help us to make Codesys even more secure.
“For many years now, we have been investing considerable technical and administrative efforts to permanently improve the security features of Codesys. All detected vulnerabilities are immediately investigated, assessed, prioritised and published in a security advisory. Fixes in form of software updates are promptly developed and immediately made available to all Codesys users in the Codesys Store.”