Last Friday, Siemens released security patches that addressed a serious newly-discovered weakness in the S7-1500 and S7-1200 logic controllers. An attacker could exploit those vulnerabilities to gain remote access to protected memory areas as well as run arbitrary code without getting detected or restricted. The success of such an attack is often described as the “Holy Grail” of hackers.
The newly-found weakness is tracked as CVE-2020-15782, and it was first discovered by the Claroty cyber-security company. The company discovered the bug after its researchers reverse-engineered the MC7/MC7+ bytecode that is used to run logic controller programs. At the moment, there’s no information about instances where this bug has been exploited in the wild.
Siemens released an advisory in which the company states that unauthenticated attackers who have remote access to TCP 102 ports could run arbitrary code in protected areas of the memory as well as obtain sensitive data that could help them in future attacks.
According to Tal Keren, a researcher at Claroty, only a few attackers have ever achieved remote execution of arbitrary code in industrial control systems (which is what the Siemens programmable logic controllers are). Such systems typically have very advanced security features that an attacker would have to overcome before they could run malicious code in them and remain undetected while doing so.
In addition to allowing hackers to launch malicious code in the attacked system, the newly-discovered flaw can also enable the attackers to stay undetected by the operating system or even by any diagnostic procedures that may be initiated while the attacker is active. This can be done by breaking out of the user sandbox in order to write arbitrary code straight into the protected areas of the system’s memory that should normally be inaccessible.
Claroty’s report notes that, in order for such an attack to be carried out, the attacker would have to have network access to the logic controller and also have “download rights” in it. Claroty’s researchers attempted to jailbreak the native sandbox of a PLC to put the theory to the test, and they were able to inject a malicious kernel program into the system that would grant them the ability to remotely launch arbitrary code.
This isn’t the first instance of a bug that allows remote arbitrary code execution in Siemens programmable logic controllers. All the way back in 2010, a worm known as Stuxnet was able to exploit several Windows flaws that allowed it to modify the code in Siemens PLCs and thus reprogram industrial control systems in order to perform espionage and sabotage.
Also, in 2019, the attack type know as Rogue7 was demonstrated by researchers – this type of attack could allow attackers to exploit flaws in the S7 proprietary communication protocol and thus inject messages into the system that are favorable for the attacker.
In Siemens’ advisory that addresses the matter, the company strongly advises its customers to make sure that all of the latest updates are installed in order to decrease the risk. Siemens also stated that it is working on additional security updates to mitigate the problem. Furthermore, the users are advised to apply all common cybersecurity precaution measures in order to keep their systems safe in case there isn’t currently an update that fixes the flaw for the product that they are using.