Siemens ProductCERT recently released a Security Advisory warning of a memory protection bypass vulnerability present in its SIMATIC S7-1200 and S7-1500 programmable logic controllers (PLCs). Successfully exploiting this vulnerability could allow a remote, unauthenticated attacker to potentially write arbitrary data and code to usually protected memory areas or read sensitive information in order to launch further attacks.
For hackers and cybercriminals, achieving remote native code execution is the ultimate prize. What makes it CVE-2020-15782 even worse is it can be achieved remotely, instead of having to attempt hardware hacking which requires physical access to the PLCs.
Few attackers ever gain this type of unfettered access, especially on industrial systems such as PLCs which normally have multiple layers of memory protections in place.
The vulnerability has been classified with an 8.1 severity according to the CVSS v3.1 Base Score specification while the NIST has given it a 9.8 (CRITICAL) rating.
The fact that vulnerabilities like these are still waiting to be found in many critical systems, shows the importance of being proactive about security and the effectiveness of techniques like penetration testing.
LIFARs will test the real-world effectiveness of your security controls while achieving compliance and protecting your brand. Cyberwarfare expert, NATO offensive Top Security Clearance and ex-NSA are main members of our core team. Our ethical hackers will find weaknesses in your infrastructure, exploit them, and report their findings.
How Does it Work?
According to the researchers who discovered the vulnerability, an attacker would need network access (on port TCP 102) as well as download rights to the PLC. The user sandbox can then be escaped by reverse-engineering the MC7 / MC7+ bytecode language, enabling attackers to inject malicious kernel-level code into the OS, granting them native remote code execution.
Attackers can also remain undetected by the underlying operating system or diagnostic software by escaping the user sandbox to write arbitrary data and code directly into protected memory regions.
CVE-2020-15782 seems to be the peak in a history of ever-increasingly sophisticated attacks aimed at Siemens PLCs.
Stuxnet is still one of the most notorious. In 2010, worm leveraged multiple flaws in Windows to hiding user-level code on PLCs by intercepting codeblocks on the EWS. This enabled attackers to perform cyber espionage as well as remote sabotage. Stuxnet was used against systems that form part of Iran’s nuclear program. This caused considerable harm before mutating and spreading.
In 2019, researchers identified another potential attack vector in the form of Rogue7. This exploited vulnerabilities in the S7’s proprietary communication protocol, allowing remote attackers to impersonate the PLC’s TIA (Totally Integrated Automation). This gave attackers unrestricted access to plant messages which could open the door for further attacks.
What Should You Do?
Any users of SIMATIC S7-1200 and S7-1500 CPU products should take immediate action to mitigate any potential attacks.
Siemens has released firmware updates for several affected products and strongly recommends updating to the latest versions. These updates enhance the security of these models by using a TLS certificate to enable PG/PC and HMI communication, protecting confidential PLC configuration data, enhancing encryption for CPU access level passwords, etc.
If for whatever reason you are unable to proceed with updates, Siemens have also provided numerous workarounds and mitigations you can implement. For example:
- Apply password protection for S7 communication
- Disallow client connections via the ENDIS_PW instruction to block remote access
- Configure additional access protection of the S7-1500 CPU
- Ensure that you comply with Siemens Operational Guidelines for Industrial Security