Researchers from Microsoft have demonstrated how programmable logic controllers (PLCs) that support the CODESYS runtime can be taken over by exploiting high-severity remote code execution (RCE) vulnerabilities in the popular automation protocol. The flaws were patched earlier this year and impact the CODESYS V3 software development kit (SDK) that is integrated in more than 1,000 device models from more than 500 manufacturers.
“Exploitation of the discovered vulnerabilities, which affect all versions of CODESYS V3 prior to version 3.5.19.0, could put operational technology (OT) infrastructure at risk of attacks, such as remote code execution and denial of service (DoS),” the Microsoft researchers said in a report. “The discovery of these vulnerabilities highlights the critical importance of ensuring the security of industrial control systems and underscores the need for continuous monitoring and protection of these environments.”
Microsoft reported the vulnerabilities to the CODESYS Group, which maintains the popular SDK, in September 2022 and they were patched in updates released in March and April. However, industrial equipment manufacturers that integrate the CODESYS Control Runtime Toolkit into their controllers to allow customers to run and debug applications created with CODESYS will also have to issue updates and the patch development and deployment in the ICS space can be very slow.
15 CODESYS vulnerabilities
The researchers found 12 vulnerabilities that can lead to both remote code execution and DoS in various components of the CODESYS protocol and another three that can result in just denial of service. All except one DoS flaw are rated 8.8 out of 10 on the CVSS severity scale, but a DoS condition can have serious implications when it strikes devices like PLCs that control critical processes in factories, energy plants, and building automation systems.
The CODESYS software suite has multiple components. It provides an integrated development environment (IDE) that runs on engineering workstations and allows users to develop applications according to the IEC 61131-3 standard in multiple programming languages and for multiple CPU architectures used on PLCs. The suite allows users to then upload these applications to PLCs where they get executed by the integrated CODESYS runtime and can also be monitored and debugged. Other add-ons extend the functionality to include visualization, communication with human-machine interfaces (HMIs), advanced motion applications, and more.
The Microsoft researchers set out to investigate the proprietary CODESYS network communications protocol that allows the CODESYS engineering software to communicate with the CODESYS-compatible PLCs. This protocol runs over TCP (ports 11740-11743) or UDP (ports 1740-1743) and is broken down into multiple layers: the block driver layer, the datagram layer, the channel layer, and the services layer.
The services layer was particularly interesting because it was further broken down into multiple components, each implementing a different functionality in the PLC runtime and then every component had different available services (commands) that could be called in the runtime. For example, many of the remote code execution flaws were found in the CmpTraceMgr component which supports the following services:
TraceMgrPacketCreate creates a new trace packet.
TraceMgrPacketDelete deletes a trace manager packet.
TraceMgrPacketStart starts tracing, which is triggered by the TraceTrigger.
TraceMgrRecordUpdate records the current value of the TraceVariable together with the current timestamp.
TraceMgrRecordAdd creates a new TraceRecordConfiguration and adds it to a specific trace packet for a specific IEC task/application.
Furthermore, the data is transmitted via tags, which are essentially data structures that are extracted by the component and sent to the service. For example, TraceMgrRecordAdd activates the relevant service and will attempt to copy data from specified tags into an output buffer. The problem is the tag is copied into the memory buffer without any size validation, leading to a classic buffer overflow.
Buffer overflow vulnerabilities can be exploited to insert attacker-controlled code into the memory buffer and then have that code executed, leading to arbitrary code execution. If this can be achieved remotely, like in this case because the exploit is delivered through a network protocol, it’s remote code execution.
The limitations in this case is that sending requests to a PLC over the CODESYS protocol requires authentication. The Microsoft researchers got past this limitation by exploiting an older vulnerability in CODESYS, CVE-2019-9013, that allows intercepting plain text credentials during log-in and using them to launch a replay attack.
How to mitigate the CODESYS vulnerabilities
“CODESYS GmbH strongly recommends using the online user management,” CODESYS said in its advisory for the vulnerabilities found by Microsoft. “This not only prevents an attacker from sending malicious requests or downloading virulent code, but also suppresses starting, stopping, debugging or other actions on a known working application that could potentially disrupt a machine or system. As of version V3.5.17.0, the online user management is enforced by default.”
In addition to bypassing authentication, the researchers also had to defeat OS and application-level memory protections that are designed to make buffer overflow exploitation harder, such as data execution prevention (DEP) and address space layout randomization (ASLR). The researchers demonstrated their exploits on a Schnieder Electric TM251 controller and a Wago PFC200 device, both of which had both DEP and ASLR enabled, and the process is fully documented in a research paper. They also developed an open-source ICS forensics framework to enable asset owners to identify impacted devices, receive security recommendations for those devices, and identify suspicious artifacts in PLC metadata and project files.
Their general recommendations for users of CODESYS and CODESYS-compatible devices include:
Apply patches to affected devices in your network. Check with the device manufacturers for available patches and update the device firmware to version to 3.5.19.0 or above.
Make sure all critical devices, such as PLCs, routers, and PCs are disconnected from the internet and segmented, regardless of whether they run CODESYS.
Limit access to CODESYS devices to authorized components only.
Due to the nature of the CVEs, which still require a username and password, if prioritizing patching is difficult, reduce risk by ensuring proper segmentation, requiring unique usernames and passwords, and reducing users that have writing authentication.
Critical Infrastructure, Vulnerabilities