Critical flaw found in software used by many industrial control systems
CoDeSys runtime flaw allows hackers to execute commands on critical industrial control systems without authentication, researchers say
IDG News Service - CoDeSys, a piece of software running on industrial control systems (ICS) from over 200 vendors contains a vulnerability that allows potential attackers to execute sensitive commands on the vulnerable devices without the need for authentication, according to a report from security consultancy Digital Bond.
The vulnerability was discovered by former Digital Bond researcher Reid Wightman as part of Project Basecamp, an ICS security research initiative launched by Digital Bond last year.
Described as a design issue, the vulnerability is located in the CoDeSys runtime, an application that runs on programmable logic controller (PLC) devices. PLCs are digital computers that control and automate electromechanical processes in power plants, oil and gas refineries, factories and other industrial or military facilities.
The CoDeSys runtime allows PLCs to load and execute so-called ladder logic files that were created using the CoDeSys development toolkit on a regular computer. These files contain instructions that affect the processes controlled by the PLCs.
According to the Digital Bond report, the CoDeSys runtime opens a TCP (Transmission Control Protocol) listening service that provides access to a command-line interface without the need for authentication.
The company has created and released two Python scripts: one that can be used to access the command line interface and one that can read or write files on a PLC running the CoDeSys runtime. There are plans to convert these scripts into modules for Metasploit, a popular penetration testing framework.
Depending on the PLC model, the command-line interface allows a potential attacker to start, stop and reset PLC programs; dump the PLC memory; get information about the tasks and programs running on the PLC; copy, rename, delete files on the PLC filesystem; set or delete online access passwords and more.
CoDeSys is developed by a company called 3S-Smart Software Solutions based in Kempten, Germany. According to the company's website, the software is used in automation hardware from over 200 vendors.
The vulnerability and scripts were tested on only a handful of products from the 261 potentially affected vendors, Digital Bond founder and CEO Dale Peterson said Thursday in a blog post. One of those PLCs was running Linux on an x86 processor while another was running Windows CE on an ARM processor.
"This attack can be used not only to control the PLC but also to turn the PLC into an 'agent' to attack other devices in the network," Ruben Santamarta, a security researcher from security firm IOActive, said Friday via email. Santamarta found vulnerabilities in industrial control systems in the past as part of Project Basecamp.
"We are aware of this security issue," Edwin Schwellinger, support manager at 3S-Smart Software, said Friday via email. "A patch is under development but not released. We are working with high pressure on these issues."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts