Monday, 31 May 2021 13:20

Claroty detects severe memory protection bypass vulnerability in Siemens PLCs, Siemens launches further updates

By

Claroty says the vulnerability in Siemens PLCs may allow an unauthenticated attacker to write arbitrary data and code to protected memory areas or read sensitive data to launch attacks. As a response, Siemens rolls mitigation measures to reduce risks.

Achieving native code execution on an industrial control system such as a programmable logic controller (PLC) is an end-goal relatively few advanced attackers have achieved. These complex systems have numerous in-memory protections that would have to be hurdled in order for an attacker to not only run code of their choice, but also remain undetected, according to Claroty.

Previous work has required physical access and connections to the PLC, or techniques that target engineering workstations and other links to the PLC in order to gain that level of code execution. Claroty, meanwhile, has taken those efforts a step further using a newly-discovered vulnerability that bypasses the PLC sandbox within Siemens’ Simatic S7-1200 and S7-1500 PLC CPUs to run native code in protected areas of memory.

Affected devices are vulnerable to a memory protection bypass through a specific operation. A remote unauthenticated attacker with network access to TCP port 102 could potentially write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks.

This disclosure is an outcome of Siemens and Claroty’s existing partnership, which fosters not only tight cooperation between the research teams and the vendor on disclosures, but also in the security of the overall industrial ecosystem. Siemens has released an official advisory SSA-434534 that notifies its users of this vulnerability, and also released updates for various products, including S7-1500 and S7-1200, that remediate the vulnerability. Users are urged to update to the latest versions.

Siemens says it is preparing further updates for products where updates are not yet available; Siemens also provided specific mitigation measures that users can apply to reduce the risk. Siemens and Claroty wish to emphasise that users apply the S7-1200 and S7-1500 CPU updates as well as those for other affected products given the critical nature of this vulnerability.

Previous work
PLC vulnerability research, from the attacker perspective, is to achieve unrestricted and undetected code execution on the PLC. This means, being able to hide code deep inside the PLC, undetected by the operating system, or any diagnostic software.

Over the years Siemens has seen many attempts to achieve such a capability on Siemens PLCs. First, Siemens had Stuxnet, which gained user-level code execution on the old Simatic S7-300 and S7-400 by manipulating the local Step 7 projects files. Next, Siemens witnessed the Rogue7 attack.

The researchers behind Rogue7 were able to create a rogue engineering station which can masquerade as the TIA portal to the PLC and inject any messages favourable to the attacker.

The same year, researchers Ali Abbasi and Tobias Scharnowski presented how they physically attacked the Simatic 1200 to gain code execution on Siemens S7 PLCs.

Claroty’s research
Claroty has levelled up this research, demonstrating a new remote attack that allows it to gain native code execution on Siemens S7 PLCs. The attack targets deep in the kernel and avoids any detection because it is able to escape the user sandbox and write a shellcode into protected memory regions.

The integrity of a PLC is crucial to operators and engineers, and an attacker’s goal would be to damage that integrity by hiding code on the controller and elevating privileges. In order to escape, or jailbreak, the native Simatic S7-1200 and S7-1500 sandboxes, Claroty used its memory protection bypass vulnerability. The vulnerability bypasses existing protections within the execution environment of the PLC, including a sandbox where engineering code would normally run. Claroty was able to use this vulnerability to escape the sandbox in order to gain direct access to memory, then write and inject shellcode to execute our attack on Siemens 1200/1500 PLCs.

Escaping the sandbox means an attacker would be able to read and write from anywhere on the PLC, and could patch an existing VM opcode in memory with malicious code to root the device.

Claroty, for example, was able to inject ARM/MIPS shellcode directly to an internal operating system structure in such a way that when the operating system uses a specific opcode, Claroty’s malicious shellcode would execute, giving remote code execution. Claroty used this technique to install a kernel-level program with some functionality that is completely hidden to the operating system.


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Kenn Anthony Mendoza

Kenn Anthony Mendoza is the newest member of the iTWire team. Kenn is also a contributing writer for South China Morning Post Style, and has written stories on Korean entertainment, Asian and European royalty, Millionaires and Billionaires, and LGBTQIA+ issues. He has been published in Philippine newspapers, magazines, and online sites: Tatler PhilippinesManila BulletinCNN Philippines LifePhilippine StarManila Times, and The Daily Tribune. Kenn now covers all aspects of technology news for iTWire.com.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments