21 July 2021, Kathmandu
Cybersecurity researchers on Wednesday disclosed multiple security vulnerabilities affecting the CODESYS automation software and the WAGO Programmable Logic Controller (PLC) platform. These vulnerabilities can be remotely exploited to control the company’s operational technology (OT) infrastructure in the cloud.
These issues could convert into creative attacks which enable malicious actors to remotely control the enterprise’s cloud OT implementation as well as threaten any industrial process managed from the cloud,” the company said. New York-based industrial security Claroty reports. Share with The Hacker News, adding that “they can be used to target cloud-based management consoles from infected field devices, or to control the company’s cloud and attack PLCs and other devices to disrupt operations.”
CODESYS is a development environment for programming controller applications, which allows easy configuration of PLCs in industrial control systems. WAGO PFC100/200 is a series of PLCs which mobilizes the CODESYS platform to program and configure the controller. Successful exploitation of the vulnerability may allow the installation of malicious CODESYS packages, resulting in a denial of service (DoS) condition, or escalation of privileges by executing malicious JavaScript code, or worse, tampering or completely destroying the device.
In nature, this can happen in two ways: “bottom-up” or “top-down.” These two methods imitate the path that an attacker might take to control the PLC endpoints, ultimately harming the cloud-based management console, and vice versa, controlling the cloud to manipulate all networked field devices. In the complex “bottom-up” Claroty The designed exploit chain is a combination of CVE202134566, CVE202134567, and CVE202129238, which is used to obtain remote code execution in WAGO PLC, just to access the human-machine interface CODESYS WebVisu and perform cross-site request forgery (CSRF) attacks to control the CODESYS automation server instance.
“An malicious actors who gets access to the PLC managed by the automated cloud server could modify the` webvisu.js` file and add the JavaScript code to the end of the file. This code will send a malicious request to the cloud server on behalf of the connected cloud server, “explains Claroty Principal Investigator Uri Katz, who had identified as well as reported these shortcomings.
“When a cloud user views a WebVisu page, the modified JavaScript will take advantage of the missing CSRF token and run in the context of the viewing user; the request will contain CAS cookies. Malicious actors could use it for POST a` / api / db / User` and a new administrator user which would give them complete access to the CODESYS cloud platform, “added Katz.
On the other hand, another “top-down” attack scenario involves the implementation of a malicious packet (CVE202129240) to compromise the CODESYS engineering station, which is designed to filter the cloud credentials associated with an operator account and then use it to manipulate. Program logic does not restrict access to all connected PLCs.