Industrial cybersecurity remains in the spotlight as IT system compromises continue to take down operational systems across a range of industries. (Not always due to operational technology breaches per se, but increased overlap and integration of IT and OT continues to throw up major security issues.)
In the latest reminder of just how vulnerable to compromise many widely used industrial systems are, Germany’s CODESYS GmbH has been forced to patch a string of über-critical (CVSS 10) vulnerabilities that would give an unauthenticated, remote attacker the ability to — amongst other things — “bypass the user management and to read or write values on the PLC without authentication.”
The worst of the bugs were found in the CODESYS V2.3 web server component used by CODESYS WebVisu to display human-machine interface in a web browser. All CODESYS V2 web servers running stand-alone or as part of the CODESYS runtime system prior version V220.127.116.11 are affected. The six CVEs affecting this component are a who’s who of software vulnerabilities, ranging from stack-based buffer overflows through to security check bypasses and out-of-bounds write bugs.
The bugs (CVE-2021-30189, CVE-2021-30190, CVE-2021-30191, CVE-2021-30192, CVE-2021-30193, CVE-2021-30194) were found and disclosed by Russia’s Positive Technologies; the software was patched earlier this month by CODESYS, though with patching of industrial software being what it is, it’s highly likely that large numbers of users haven’t updated, security experts say.
Vladimir Nazarov, Head of ICS Security at Positive Technologies, said: “Their exploitation can lead to remote command execution on PLC, which may disrupt technological processes and cause industrial accidents and economic losses,” adding “Initially, we analyzed the WAGO 750-8207 PLC. After we informed WAGO about the found vulnerabilities, the company passed the information to the people working on CODESYS, the software used as a foundation by 15 manufacturers to build PLC firmware. In addition to WAGO, that includes Beckhoff, Kontron, Moeller, Festo, Mitsubishi, HollySys and several Russian developers. In other words, a lot of controllers are affected by these vulnerabilities.”
To exploit the vulnerabilities, an attacker does not need a username or password; having network access to the industrial controller is enough. According to the researchers, the main cause of the vulnerabilities is insufficient verification of input data, which may itself be caused by failure to comply with the secure development recommendations.
The semi-mythical air gap will no doubt be pointed to by many, and a fleeting look on Shodan appears to point to a smattering of likely honeypots, rather than thousands of obviously exposed systems. CODESYS meanwhile urges users to “use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside” and to “use VPN tunnels if remote access is required” among other precautions.
Yet with recent horror stories like the attempted poisoning of water supply at a plant in Florida on many minds, and the ease with which cybercriminals are breaching IT systems in ransomware attacks, the possibility of pivoting to industrial control systems and doing or threatening physical damage as part of either an extortion campaign or a politically motivated attack will worry many observers.