Researchers at industrial cybersecurity firm Claroty have discovered a high-severity vulnerability in Siemens PLCs, tracked as CVE-2020-15782, that could be exploited by remote and unauthenticated attackers to bypass memory protection.
The vulnerability could allow an attacker with network access to TCP port 102 to write or read data in protected memory areas.
The flaw impacts SIMATIC S7-1200 and S7-1500 CPUs, the vendor has already released firmware updates for the impacted systems. Siemens also provided workarounds for those products for which the vendor has yet to address the flaw.
“SIMATIC S7-1200 and S7-1500 CPU products contain a memory protection bypass vulnerability that could allow an attacker to write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks.” reads the advisory published by the German vendor. “Siemens has released updates for several affected products and strongly recommends to update to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available.”
The flaw could allow attackers to bypass the sandbox to run native code in protected areas of memory of Siemens S7 PLCs.
“Previous work has required physical access and connections to the PLC, or techniques that target engineering workstations and other links to the PLC in order to gain that level of code execution. Claroty, meanwhile, has taken those efforts a step further using a newly discovered vulnerability that bypasses the PLC sandbox within Siemens’ SIMATIC S7-1200 and S7-1500 PLC CPUs to run native code in protected areas of memory.” reads the post published by Claroty. “An attacker could use this vulnerability, CVE-2020-15782, to remotely obtain read-write memory access that would be difficult to detect and remove.”
The company’s researchers showed how an attacker could bypass protections and write shellcode directly into protected memory. An attack exploiting this vulnerability would be difficult to detect, the researchers claim.
An attacker that is able to escape the sandbox would be able to remotely read and write data on the PLC, and could potentially patch an existing VM opcode in memory with malicious code to achieve root permissions on the device.
“Claroty, for example, was able to inject ARM/MIPS shellcode directly to an internal operating system structure in such a way that when the operating system uses a specific opcode that we chose, our malicious shellcode would execute, giving us remote code execution.” concludes Claroty. “We used this technique to install a kernel-level program with some functionality that is completely hidden to the operating system,” they added.
Claroty’s blog post describes the PLC sandbox and the role CVE-2020-15782 could play in an attack.
(SecurityAffairs – hacking, Siemens PLCs)