Researchers Unveil Widespread Flaw In Industrial SystemsExploitation Could Lead to RCE and DoS Attacks in Millions of Devices
Security researchers from Microsoft disclosed vulnerabilities in a software development kit used for industrial applications, urging users to apply patches lest hackers attempt a remote code execution attack.
The computer giant said the flaws are in version three of the Codesys software environment developed by the Germany company of the same name, which released patches earlier this spring. Codesys said its programmable logic controllers software development kit is compatible with approximately 1,000 different devices made by more than 500 manufacturers.
A dozen of the flaws are buffer overflow vulnerabilities that have a CVSS score of 8.8. The flaws can be exploited for denial-of-service attacks or for remote code execution.
"A DoS attack against a device using a vulnerable version of Codesys could enable threat actors to shut down a power plant, while remote code execution could create a backdoor for devices and let attackers tamper with operations, cause a PLC to run in an unusual way, or steal critical information," Microsoft said.
Global concerns over the hacking of operational technology have mounted in tandem with worries that state actors could turn to destructive hacks. ENISA, the European Union agency for cybersecurity, warned in November that "state-backed threat actors will step up their reconnaissance against OT networks, develop capabilities and increasingly target them for the foreseeable future, especially during times of crisis and armed conflict."
Microsoft researchers collectively dubbed the vulnerabilities CoDe16. Codesys' April patch advisory describes the flaws as requiring low skills to exploit but says no know attack occurred exploiting the bugs. A hacker attempting exploitation would first have to successfully log into a system. Codesys recommends that its clients enforce access controls to programmable logic controllers rather than leaving them accessible on a network.
To bypass the user authentication hurdle, Microsoft's researchers used a four-year-old known vulnerability that allowed them to exfiltrate credentials by means of a replay attack against the PLC. They then targeted the latest set of bugs to trigger a buffer overflow and gain control of the device.
The software development kit consists of several different components, and each one is associated to a particular functionality of the PLC. The kit also contains management software that runs on Windows machines and a simulator that allows users to test their PLC systems before deployment.