Positive Technologies Uncovers Critical Vulnerabilities in CODESYSSerious Threat to Industrial Control Systems Worldwide Remote code execution on PLC is a menace to technological processes
Positive
Technologies experts Anton Dorfman, Ivan
Kurnakov, Sergey Fedonin, Vyacheslav Moskvin and Denis Goryushev have
identified 10 vulnerabilities in CODESYS[2] automation software for industrial control systems. Some
are of high and critical severity. CODESYS has fixed the vulnerabilities and
released security advisories. “The
vendor rated some of these vulnerabilities as 10 out of 10, or extremely
dangerous,” says Vladimir Nazarov, Head of ICS Security at Positive
Technologies. “Their exploitation can lead to remote
command execution on PLC, which may disrupt technological processes and cause
industrial accidents and economic losses. The most notorious example of
exploiting similar vulnerabilities is by using Stuxnet. In one such attack,
this malware modified a project in PLC, hampering the operation of centrifuges
at Iran's nuclear facility in Natanz. Initially, we analyzed the WAGO 750-8207
PLC. After we informed WAGO about the found vulnerabilities, the company passed
the information to the people working on CODESYS, the software used as a
foundation by 15 manufacturers to build PLC firmware. In addition to WAGO, that
includes Beckhoff, Kontron, Moeller, Festo, Mitsubishi, HollySys and several
Russian developers. In other words, a lot of controllers are affected by these
vulnerabilities.” To exploit the vulnerabilities, an
attacker does not need a username or password; having network access to the
industrial controller is enough. According to the researchers, the main cause
of the vulnerabilities is insufficient verification of input data, which may
itself be caused by failure to comply with the secure development
recommendations.
The most dangerous problems were revealed in the CODESYS V2.3 web server component used by CODESYS WebVisu to display human-machine interface in a web browser. Multiple vulnerabilities discovered in this component received a CVSS 3.0 score of 10 and identifiers CVE-2021-30189, CVE-2021-30190, CVE-2021-30191, CVE-2021-30192, CVE-2021-30193, and CVE-2021-30194. Other vulnerabilities rated 8.8 were found in the CODESYS Control V2 communication runtime system, which enables embedded PC systems to be a programmable industrial controller. Identifiers: CVE-2021-30186, CVE-2021-30188, and CVE-2021-30195. Finally, vulnerability CVE-2021-30187 discovered in CODESYS Control V2 Linux SysFile library was rated 5.3. This vulnerability can be used to call additional PLC functions utilizing the SysFile system library. Attackers can, for example, delete some files and potentially disrupt particular technological processes. To eliminate the vulnerabilities, companies are advised to follow the recommendations in CODESYS official notices (1, 2, 3). If it is impossible to install an update, you can detect signs of penetration by using systems for monitoring security and managing cybersecurity incidents, such as PT Industrial Security Incident Manager. [1] Programmable logic controllers (PLC) are devices that fully automate the operation of various industrial equipment, mechanisms, machines, and tools. [2] CODESYS (controller development system) is a development environment for PLC applications used by manufacturers around the world. Source: Positive Technologies media announcement |