Threat Update
An unauthenticated remote code execution vulnerability has been detected in several Siemens PLC devices. An unauthenticated remote attacker with access to TCP port 102 could exploit this to read or write arbitrary code to protected memory areas. This can allow them to add, remove, or change data that is in those protected memory areas, and maintain nearly invisible persistence on these devices. Siemens has released a firmware update and strongly recommends afflicted devices as soon as possible.
Technical Detail & Additional Information
WHAT IS THE THREAT?
A vulnerability has been discovered in Siemens Programmable Logic Controllers (PLCs). Industrial cybersecurity firm Claroty discovered this vulnerability, identified as CVE-2020-15782, which can allow a remote unauthenticated attacker to read or write to protected memory areas. This means that an attacker with network access to TCP port 102 can write arbitrary code to protected areas in memory, which can be used to launch an attack at will. With remote access like this that does not allow authentication, the attacker is free to write whatever code they wish into these protected memory areas, which can easily result in further exploitation while remaining relatively undetectable.
WHY IS IT NOTEWORTHY?
An unauthenticated remote code execution vulnerability is among the most dangerous known vulnerabilities. This means a potential attacker does not need physical access to the device they seek to exploit. The attacker can then use shellcode to create a backdoor and establish persistence, all while remaining undetected. This can result in the attacker further extending their access to the network by moving laterally now that they have access to a single device and are able to read and write to memory at which can result in the installation of unwanted programs. The nature of the devices that are compromised is also notable. PLCs are used most often in industrial machinery, and compromise of industrial systems is on the rise. While not explicitly similar attack vectors, the compromise of JBS in the meatpacking industry and of the Colonial pipeline have revealed that attackers are willing to go after a broader scope of targets.
WHAT IS THE EXPOSURE OR RISK?
As with many unauthenticated remote code execution vulnerabilities the most prominent risk is that the attacker can execute arbitrary code on the device while remaining largely undetected. This means the attacker will be able to add, remove, or change information that is located in the compromised areas of memory at will. This can result in the attacker establishing nigh-undetectable persistence via a shell, and then remaining unnoticed in the device while spreading to other devices and potentially adding dangerous programs. Ultimately an attacker who is granted root access to the device in this way would be very hard to detect and would likely be able to do significant damage if left unchecked.
WHAT ARE THE RECOMMENDATIONS?
Siemens has already released a firmware update for the SIMATICS7-1200 and S7-1500 CPUs, which are the devices affected by this vulnerability. It is strongly recommended that any users of the vulnerable devices update them immediately. Siemens is also “preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available”.
REFERENCES
For more in-depth information about the recommendations, please visit the following links:
- https://securityaffairs.co/wordpress/118367/ics-scada/cve-2020-15782-siemens-plcs-flaw.html
- https://thehackernews.com/2021/05/a-new-bug-in-siemens-plcs-could-let.html
If you have any questions, please contact our Security Operations Center.
