‘Sabotage the Factory’ — 16 Big Bugs in Codesys ICS/OT/SCADA Software
Researchers unveil high-severity vulns in Codesys Control, used in millions of devices.
See that power station, chemical plant or production line? It probably uses Codesys Control software to program its industrial computers.
At Black Hat, a Microsoft researcher unveils a boatload of really nasty flaws. In today’s SB Blogwatch, we’re crushed by the wheels of industry.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: November Rain unplugged.
CoDe16 FAIL
What’s the craic? Eduard Kovacs reports—“Microsoft Discloses Codesys Flaws Allowing Shutdown of Industrial Operations, Spying”:
“Black Hat”
Germany-based Codesys makes automation software for engineering control systems. Its products are used by some of the world’s largest industrial control system (ICS) manufacturers. … Its software is found in millions of devices — roughly 1,000 different types of products made by over 500 manufacturers.
…
A total of 16 vulnerabilities in Codesys Control V3 versions prior to 3.5.19.0 … were reported to Codesys in September 2022 and patches were announced in April 2023. All of the vulnerabilities have been assigned a ‘high severity’ rating … for denial-of-service (DoS) attacks or for remote code execution (RCE).
…
“A successful attack has the potential to inflict great damage on targets,” Microsoft explained. … The Codesys vulnerabilities were summarized in a session at the Black Hat cybersecurity conference this week by … Vladimir Tokarev.
Shouldn’t the vulns be given a silly name? Vladimir Eliezer Tokarev agrees—“16 Zero-Day Vulnerabilities Affecting CODESYS Framework”:
“Sabotaging the factory floor”
“CoDe16” is our code name for 16 zero-day vulnerabilities we have found in CODESYS which is a platform-independent software framework used for programming PLCs. CODESYS is extremely prevalent in Operational Technology, popular in many different industries (factory automation, energy, mobile, building, embedded, process, etc.), and supported by over 500 manufacturers (Schnieder Electric, Beckhoff, Wago, Eaton, ABB, Festo, etc.) covering numerous architectures (MIPS, Renesas, ARM, PowerPC, TriCore, etc.) spread across millions of devices.
…
We will … show full remote code execution exploit chain leading into stage I shellcode that implants a stage II persistent Ladder Diagram … malicious payload [allowing] full control of the PLC and sabotaging the factory floor.
And Bill Toulas adds—“Industrial PLCs worldwide impacted by CODESYS V3 RCE flaws”:
“Upgrade”
Millions of PLC (programmable logic controllers) used in industrial environments worldwide are at risk. … Due to the nature of those devices, they are not frequently updated to fix security problems, so Microsoft’s security team published a detailed post yesterday to raise awareness of the risks and to help the patching pick up pace.
…
The main issue is in the tag decoding mechanism of the SDK, specifically the fact that tags are copied into the device buffer without verifying their size, giving attackers a buffer overflow opportunity. … The buffer overflow problem isn’t isolated: … Microsoft found it in 15 CODESYS V3 SDK components, including CMPTraceMgr, CMPapp, CMPDevice, CMPApp, CMPAppBP, CMPAppForce, and CMPFileTransfer.
…
Microsoft … recommends disconnecting PLCs and other critical industrial devices from the internet. … Admins are advised to upgrade to CODESYS V3 v3.5.19.0 as soon as possible.
Updates? Good luck with that. jcrummy explains:
For those unfamiliar with industrial systems: It is highly unlikely that any PLCs … have ever been patched. Once a PLC is installed and running, they rarely get touched unless something isn’t working, and if they are touched, it is normally just to make a program change to fix the problem the technician was called for, not to do a firmware update.
…
People … using PLCs on equipment are very risk-averse: … They don’t want to be the one who made a machine not work because they applied a firmware update to it. … Industrial equipment security really comes down to keeping people from accessing it in the first place, because even if an installation started out with up-to-date firmware and everything up to snuff, in a year, five years, or 15 years (typical lifespans of equipment), everything will be a year, five years, or 15 years out of date.
Well, quite. So, why are these things on the internet? thegarbz has zero trust in that way of thinking: [You’re fired—Ed.]
This is a great way of creating a false sense of security. Airgap-it-and-done breeds a culture of bad security thanks to, “We’ve airgapped it, we don’t need to do X, Y or Z.” And that’s precisely how you end up with Stuxnet—a successful attack on an airgapped system.
Including power plants? u/TexasVulvaAficionado thinks airgap lovers “haven’t set up much stuff at power plants in the last ten years, apparently”:
Airgapping is less and less realistic. Even data diodes are a hard ask in most cases. Companies/governments have tight budgets for these utility projects and want all the data for integration with other systems, compliance reporting, and AI/ML applications.
All this talk of Codesys is giving Nick Ryan the heebie-jeebies:
I’ve run into it in the past and the horrors in the Codesys environment were extensive. … Coming from a professional developer background, the amateur, non-standard nonsense that prevailed through much PLC development was really trying. The two—or was it three?—different paradigms for development were all incomplete, non-transferable and all lacking in substantial, critical ways.
…
I had the unpleasant task of trying to work out why a hopeless implementation of a bastard child of a flow chart and a state machine was failing randomly. … Who needs logging or even inspection when trying to work out why something isn’t working? … Incredibly frustrating.
Worrying stuff. afidel brings us back down to Earth with a bump:
It’s not just operational risk: Almost a decade of following the US Chemical Safety Board has shown me that better than 9 out of 10 serious accidents they investigate involve poor change control or process start procedures. Screwing with the equipment can kill people and reduce entire facilities to ash.
Meanwhile, this Anonymous Coward thinks it’s time for an off-color metaphor:
Getting security advisories from Microsoft is a little like getting advice from an STD doctor in a bordello.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Pey Khakbaz (via Unsplash; leveled and cropped)
