Microsoft: Codesys PLC bugs could be exploited to 'shut down power plants'
What are these gadgets running, Windows? Ka-boom-tsch
Fifteen bugs in Codesys' industrial control systems software could be exploited to shut down power plants or steal information from critical infrastructure environments, experts have claimed.
In a report and more published on GitHub, Microsoft threat intel specialist Vladimir Tokarev says the Windows giant – no stranger to security holes, cough – disclosed details of vulnerabilities in the Codesys V3 SDK to the Germany-based vendor in September 2022. Codesys has since patched the bugs.
The SDK is widely used, we're told, and provides a development environment for engineers to configure and test programmable logic controllers (PLCs) for industrial systems. The firmware in a good deal of PLCs contains library routines from Codesys to run the engineers' programs, and it's this embedded code that is exploitable, resulting in equipment being vulnerable to attack.
While Microsoft's team focused on the firmware in PLCs made by Schneider Electric and Wago, Codesys V3 is available for about 1,000 device types from more than 500 manufacturers, which totals up to "several million devices" that use Codesys code to implement IEC 61131-3 – the international standard for vendor-neutral industrial equipment programming languages – according to the bug hunters.
So if your operational technology (OT) environment uses devices with any of this buggy firmware, update now if you can to avoid remote code execution (RCE) or denial of service (DoS) attacks.
The 15 vulnerabilities, tracked as CVE-2022-47379 through CVE-2022-47393 inclusive, all received CVSS severity ratings of 8.8 out of 10, except for CVE-2022-47391, which earned a 7.5. It's the only one that can't be abused for RCE. Exploitation of any of these holes requires an attacker to be able to authenticate and log in.
A dozen are buffer-overflow vulnerabilities. In a separate write-up, Microsoft's threat intel team described the exploit process thus:
We were able to apply 12 of the buffer overflow vulnerabilities to gain RCE of PLCs. Exploiting the vulnerabilities requires user authentication as well as bypassing the Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) used by both the PLCs.
To overcome the user authentication, we used a known vulnerability, CVE-2019-9013, which allows us to perform a replay attack against the PLC using the unsecured username and password's hash that were sent during the sign-in process, allowing us to bypass the user authentication process.
To be clear, these aren't easy exploits. Not only do they require user authentication or stolen credentials, an intruder will need "deep knowledge of the proprietary protocol of Codesys V3 and the structure of the different services that the protocol uses," Redmond noted.
- Microsoft, Intel lead this month's security fix emissions
- CISA boss says US alliance with Ukraine over past year is closer than Five Eyes
- Microsoft OneDrive a willing and eager 'ransomware double agent'
- Want to pwn a satellite? Turns out it's surprisingly easy
But considering how high the stakes are — and the potential for causing disruption by shutting down factories or turning off power — we'd highly suggest patching ASAP. For one thing, the flaws could be exploited to quietly disrupt operations, create unsafe or dangerous situations, or affect machinery in ways outside of their expected programming, a la Stuxnet.
Well, you know, in theory.
As Microsoft warned: "A DoS attack against a device using a vulnerable version of Codesys could enable threat actors to shut down a power plant, while remote code execution could create a backdoor for devices and let attackers tamper with operations, cause a PLC to run in an unusual way, or steal critical information."
We've asked Codesys if it has any further comment. ®