Kaspersky helps eliminate severe bugs in popular automated industrial system software
Kaspersky ICS CERT researchers have discovered several vulnerabilities in a popular framework used for developing industrial devices such as programmable logic controllers (PLC) and Human-Machine Interface (HMI).
These devices are at the heart of almost any automated industrial facility – from critical infrastructure to production processes. The uncovered vulnerabilities potentially allowed an attacker to conduct covert destructive remote and local attacks on the organization where PLCs developed through this vulnerable framework are used. The framework was developed by CODESYS® and the vulnerabilities were fixed by the vendor following a report from Kaspersky.
PLCs are devices that automate processes that previously had to be performed manually or with help of complex electro-mechanical devices. In order to make a PLC work correctly, these devices should be programmed. This programming is done via a special software framework that helps engineers to code and upload process automation program instructions into PLC. This also provides a runtime execution environment for the PLC program code. This software is used across various environments, including production, energy generation, smart city infrastructures and many more. As Kaspersky researchers discovered, such software could become vulnerable and interfered with.
The researchers investigated a sophisticated and powerful tool designed for developing and controlling PLC programs. As a result, they were able to identify more than a dozen security issues in the main network protocol of the framework and the framework runtime, four of which were recognized as particularly serious and were assigned with separate IDs: CVE-2018-10612, CVE-2018-20026, CVE-2019-9013, and CVE-2018-20025.
Depending on which of these flaws is exploited, an attacker would be able to intercept and forge network command and telemetry data flaws, steal and reuse passwords and other authentication information, inject malicious code into runtime and elevate the attacker’s privileges in the system as well as other unauthorized actions — all effectively hiding their presence in the attacked network. In practice this means that an attacker would be able to either corrupt the functionality of PLCs at a particular facility or get full control over it, whilst staying under the radar of the operation technology (OT) personnel of the attacked facility. They could then disrupt operations or to steal sensitive data, such as intellectual properties and other confidential information, like factory production capabilities or new products in production. This is in addition to being able to oversee the operations of the facility and gather other intelligence that may be considered sensitive in the attacked organization.
Upon discovery, Kaspersky immediately reported these issues to the vendor of the affected software. All reported vulnerabilities are now fixed, and patches are available for framework users.
“The vulnerabilities we’ve discovered were providing an extremely wide attack surface for potentially malicious behavior and, given how widespread the software in question is, we are grateful to the software vendor for their prompt response and ability to swiftly fix these issues. We would like to think that as a result of this research we were able to make the job for attackers significantly harder. However, many of these vulnerabilities would have been discovered earlier, if the security community were involved in the development of network communication protocol at earlier stages. We believe collaboration with the security community should become good practice for developers of important components for industrial systems – including both hardware and software. Especially given that so-called Industry 4.0 which in large part based on the modern automated technologies is around the corner,” comments Alexander Nochvay, security researcher at Kaspersky ICS CERT.
"Product security is of utmost importance to the CODESYS Group. We therefore appreciate the comprehensive research results provided by Kaspersky – they help us to make CODESYS even securer. For many years now, we have been investing considerable technical and administrative efforts to permanently improve the security features of CODESYS. All detected vulnerabilities are immediately investigated, assessed, prioritized and published in a security advisory. Fixes in form of software updates are promptly developed and immediately made available to all CODESYS users in the CODESYS Store," - said Roland Wagner, Head of Product Marketing at CODESYS Group
To address the potential risks that exploitation of the reported issues brings, Kaspersky specialists advise the following measures:
- Developers that use the framework are advised to request the updated version and subsequently update firmware for devices if they were created with help of this framework
- Industrial engineers are advised to consider updating the firmware on their devices with respect to their enterprise’s patch management procedures if the device was created with help of this framework and if the developer of device-issued relevant update for its product
- Devices, where development environments and/or SCADA are deployed, should be equipped with relevant protection
- Devices used in industrial environments should work on an isolated, limited network.
- Until firmware patches are applied, security teams guarding industrial networks should consider deploying specific measures, such as targeted attack detection solutions, industrial network monitoring, delivering regular IT and OT staff security training and other security measures necessary to protect against sophisticated threats
To learn more about the research read the full paper on the Kaspersky ICS CERT website.
About Kaspersky ICS CERT
Kaspersky Industrial Control Systems Cyber Emergency Response Team (Kaspersky ICS CERT) is a global project launched by Kaspersky in 2016 to coordinate the efforts of automation system vendors, industrial facility owners and operators, and IT security researchers to protect industrial enterprises from cyberattacks. Kaspersky ICS CERT devotes its efforts primarily to identifying potential and existing threats that target industrial automation systems and the Industrial Internet of Things. Since its inception, the team identified over 200 critical vulnerabilities in products by major global ICS vendors. Kaspersky ICS CERT is an active member and partner of leading international organizations that develop recommendations on protecting industrial enterprises from cyberthreats. ics-cert.kaspersky.com
About Kaspersky
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.
Kaspersky helps eliminate severe bugs in popular automated industrial system software
Kaspersky
Related Articles Press Releases
Kaspersky Thin Client 2.0: Cyber Immune protection with enhanced connectivity, performance and design
Kaspersky has presented an updated operating system for thin clients that offers enhanced connectivity, higher speed of applications delivery, lower total cost of ownership, user-friendly graphical interface and quick deployment. Kaspersky Thin Client 2.0 is the main component of the Cyber Immune solution for building thin client infrastructure in a wide range of industries, including healthcare, finance, education and manufacturing.Read More >New DuneQuixote cyberespionage campaign targets governmental entities worldwide
Kaspersky researchers have discovered an ongoing malicious campaign initially targeting a governmental entity in the Middle East. Further investigation uncovered more than 30 malware dropper samples actively employed in this campaign, allegedly expanding the victimology to APAC, Europe and North America. Dubbed DuneQuixote, the malware strings incorporate snippets taken from Spanish poems to enhance persistence and evade detection, with the ultimate goal of cyber espionage.Read More >Kaspersky Extended Detection and Response now available for implementation into business infrastructures
Kaspersky has announced that its new solution, Kaspersky Extended Detection and Response (XDR), is now available to customers after a successful evaluation phase with early adopters in a test environment. Companies can now seamlessly integrate this advanced product into their infrastructure under its new name, ‘Kaspersky Next XDR Expert’.Read More >
We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.