Industrial control systems vulnerable to remote attackers
Industrial control systems running CoDeSys, a ladder logic system developed by 3S Software and used by 261 manufacturers to operate controllers for motorised drives and other systems, are vulnerable to a network-based attack which requires no authentication. The vulnerability, described as a design issue, has been reported by SCADA security specialists Digital Bond who published a report on the 3S CoDeSys system. The problem was discovered by Reid Wightman, a former Digital Bond researcher, as part of the company's Project Basecamp initiative. The problem is that the CoDeSys runtime, responsible for running the executable-wrapped binary files which contain the ladder logic, also has a TCP listener service offered on port 1200.
This listener service allows for both file transfer and access to a command-line interface and neither, say Digital Bond, require authentication. The interface does not, though, use plain text and interaction needs to be wrapped; Digital Bond has released a tool, codesys-shell.py which performs that process and gives users access to the command-line shell. The shell itself is relatively friendly with "?" eliciting a help menu which details the commands it can accept to start and stop PLC programs, dump memory, list files and directories or reset applications. The interface is equivalent to what appears when running the CoDeSys desktop software's PLC browser, but it skips vendor checks which would normally make the connection fail without licensed plugins installed.
The command-line interface is also vulnerable to a directory traversal attack which could allow an unauthorised user to overwrite critical configuration files on a device. Because the runtime engine often needs access to
/dev devices and writes to a privileged bus, manufacturers often run it with "root" or "administrator" privileges. Those elevated privileges also expose another problem, that of being able to inject code into the device and run it with the privileges of the runtime engine. A separate script from the Digital Bond researchers, codesys-transfer.py, uses the same listener to transfer files to the runtime. The PLC programs that are transferred to and are runnable by the runtime include executable code as part of their wrapper. Therefore, it would be possible with the scripts to upload a PLC program to a controller and have it execute with system privileges; this could be done if the command to make uploaded ladder logic files active were implemented in the scripts.
Edwin Schwellinger, support manager at 3S Software, told US media that the company was aware of the security problem and was developing a patch, adding, "We are working with high pressure on these issues". He said that the vulnerability is only exploitable if the attacker already has access to the network where the PLC runtime is executing and that the network should not be accessible from the internet. Unfortunately, it has been shown in the past that there are many industrial control system networks which are accessible from the internet, and even when they are not directly accessible, a persistent attacker can use compromised USB sticks in combination with social engineering to get malware over the air gap.
One anonymous vendor, referred to in a blog posting by Digital Bond CEO Dale Peterson, has apparently already got defences in place. The un-named vendor has a threat modelling element in their security development lifecycle and, unrelated to Digital Bond's project, identified the rogue ladder logic threat during that process. Their solution was to wrap the CoDeSys runtime in a "security envelope" that requires authentication before accessing the port. Peterson says the company would like to hear from anyone testing the security of CoDeSys based devices and is looking to implement the scripts as a Metasploit module.