Thursday, 10 September 2020 17:50

Newly discovered vulnerabilities putting OT networks at risk

By Claroty

GUEST RESEARCH by Claroty: Six critical vulnerabilities have been uncovered by Claroty researchers in Wibu-Systems’ CodeMeter third-party license management component that could expose users in numerous industries to takeover of their operational technology (OT) networks.

These flaws can be exploited via phishing campaigns or directly by attackers who would be able to fingerprint user environments in order to modify existing software licenses or inject malicious ones, causing devices and processes to crash. Serious encryption implementation issues, also discovered by Claroty, can be exploited to allow attackers to execute code remotely, and move laterally on OT networks.

CodeMeter is the dominant license management and anti-piracy solution used to protect Industrial Control Systems (ICS). Customers of affected companies who operate in numerous industries, including medical device makers, automakers, manufacturers, process designers, and many others, could be unaware this vulnerable component is running in their environment. Claroty has built an
online utility that will help users determine whether they are running a vulnerable version of CodeMeter.

Wibu-Systems has made patches available for all of the flaws in version 7.10 of CodeMeter, which has been available since Aug. 11; many of the affected vendors have been notified and have added, or are in the process of, adding the fixes to their respective installers.



Technical details on the vulnerabilities as well as details about how Claroty uncovered these flaws are available in a paper released today, titled “License to Kill: Leveraging License Management to Attack ICS Networks.”

The Industrial Control System Computer Emergency Response Team (ICS-CERT) today also issued an advisory about these vulnerabilities, and collectively assigned a CVSS score of 10.0, the highest criticality rating available.

OT Networks at Risk for Complete Takeover

The worst of the bugs were found in the product’s encryption implementation that Claroty researchers leveraged to attack the CodeMeter communication protocol and internal API in order to remotely communicate with, and send commands to, any machine running CodeMeter. Claroty researchers were also able to find vulnerabilities in the CodeMeter WebSocket API that enables management of licenses via JavaScript; an attacker would have to phish or socially engineer a victim to lure them to a site they control in order to use JavaScript to inject a malicious license of their own onto victim’s machine. Researchers were also able to leverage a separate vulnerability to bypass the digital signatures protecting CodeMeter in order to alter or create valid, forged licenses, and inject them onto any machine running CodeMeter that landed on the attacker’s site.

Vulnerable users would include those in common operational technology (OT) scenarios, above, such as where a user running an engineering station on their laptop in order to manage, compile, and transfer code to a human-machine interface (HMI) or programmable logic controllers (PLCs), and would interact both with IT and OT networks. A convincing phishing email or other social engineering attack could lure the engineer to the attacker’s site where their machine would be infected—with malware such as ransomware, or exploits for other vulnerabilities—and then once connected to an OT network, infect a PLC or cause it to crash because of the attacker’s malicious license.

The vulnerabilities described here allow an attacker that is either performing a phishing campaign, or one that already has network access to engineering stations and HMIs in critical environments to completely take over those hosts running ICS software from many of the leading vendors. This means the attacker may impact and modify physical processes (as was done in the Triton attacks using Industroyer) or install ransomware, as was alleged in the recent incident affecting Japanese automaker Honda, and effectively take down the ICS environment.

License Manipulation and Forgery

Finding these vulnerabilities was a two-step journey for Claroty researchers. First, they had to fully understand the CodeMeter licensing scheme in order to parse its inner workings. Next they built a novel fuzzer that uncovered vulnerabilities in the licensing scheme that allowed them to modify existing licenses or forge valid, corrupted licenses that would crash machines.

Claroty researchers also found attack vectors in the encryption protecting the CodeMeter proprietary protocol. By cracking that encryption implementation, researchers were able to build their own CodeMeter API and client, granting them the ability to communicate with and send commands to any machine running CodeMeter.

CodeMeter’s license-management solution allows software makers the ability to define the types of licenses that will be applied to products, and use its encryption services also deliver intellectual property protection that includes anti-tampering mechanisms, anti-reverse engineering, and more.

A critical vulnerability (CVE-2020-14519) was uncovered in CodeMeter’s WebSocket allowing attackers to abuse the internal WebSocket API via crafted JavaScript code hosted on an attacker-controlled website. The vulnerability allows attackers to inject modified or forged valid licenses. An attacker would likely be able to, for example, target a specific group of engineers looking for advice on a forum dedicated to programmable logic controllers (PLCs) with this vulnerability by hosting the malicious payload on a phony or compromised forum.

Similar to an issue that arose in May when users discovered eBay was running a port scan on visitors to its website by testing WebSocket connections to a number of ports, an attacker could fingerprint a user’s system in order to learn which vendor and what types of licenses are running on a compromised machine, and adjust their attacks accordingly. In some cases, for example, the license could also include customer information that would be of value to the attacker as well.

Researchers also used a custom fuzzer to find other vulnerabilities in the CodeMeter licensing file structure that were combined with separate—and manually discovered—vulnerabilities enabling the bypass of digital signatures used to protect CodeMeter’s licenses (CVE-2020-14515). Chaining these two bugs allows an attacker to sign their own licenses and then inject them remotely. Vulnerabilities related to input validation errors (CVE-2020-14513) could also be exploited to cause industrial gear to crash and be unresponsive, leading to a denial-of-service condition.

Targeting the API for Remote Code Execution

Once Claroty researchers found a way to remotely inject licenses, generate valid licenses (using a custom-built license builder), and discover additional bugs in the CodeMeter license-parser mechanism, the next step would be to chain those and develop a fully working proof-of-concept attack in order to achieve remote code execution on a CodeMeter server.

Claroty researchers were able to find a logic bug in the encryption key-generation function for the Wibu license service. The bug included a time space reduction from potential days worth of brute force attempts to just a few seconds offline to retrieve a valid key, see graphic below.

Decrypting the payload allowed researchers to analyse and understand the proprietary CodeMeter protocol and build their own CodeMeter API in Python that allowed them to communicate with and send commands to remote CodeMeter installations without authentication or authorisation mechanisms.

The researchers also used their fuzzer to find additional memory corruption vulnerabilities in the protocol that could also be triggered on remote CodeMeter implementations.

CodeMeter Vulnerability Mitigations

Claroty researchers recommend that since CodeMeter is third-party code integrated into many products from leading ICS vendors, it’s imperative to understand that it may not be readily apparent the vulnerable software is running on a user’s machine.

Claroty’s online utility can assist users to understand whether they are vulnerable and should take action

In summary, to mitigate the issue on network level Claroty recommends the following:

Discovery:

Use the Claroty online tool to detect presence of CodeMeter products.

Identify existing software installations of CodeMeter using software inventory solutions such as Microsoft SCCM, Qualys, antivirus management software. Look for “Wibu” or “CodeMeter.

Mitigation:

Block TCP port 22350 (CodeMeter network protocol) on your organisation’s border firewall to block the ability to exploit the vulnerability.

Contact vendors to understand if they support manual upgrade of the CodeMeter software so you can upgrade only the third-party component of CodeMeter and not the entire software stack. Based on responses we got from a few vendors, this procedure is supported

Conclusion

Like Ripple20, these vulnerabilities in Wibu-Systems’ CodeMeter demonstrate the potential for harm when widespread security issues affect third-party components that live everywhere in the ICS domain. Further exacerbating the issue are the difficulties in fixing—at scale—critical vulnerabilities found in third-party components.

There’s much more complexity involved than a single vendor patching software and pushing it out to customers; communication must happen across the entire OT and ICS ecosystems, which impacts response times and likely availability once vulnerable devices are addressed. Claroty encourages users to access its online utility in order to determine whether CodeMeter is running in their environment.

Access Claroty’s vulnerability tester here to determine if your CodeMeter version is compromised.


Subscribe to ITWIRE UPDATE Newsletter here

Active Vs. Passive DWDM Solutions

An active approach to your growing optical transport network & connectivity needs.

Building dark fibre network infrastructure using WDM technology used to be considered a complex challenge that only carriers have the means to implement.

This has led many enterprises to build passive networks, which are inferior in quality and ultimately limit their future growth.

Why are passive solutions considered inferior? And what makes active solutions great?

Read more about these two solutions, and how PacketLight fits into all this.

CLICK HERE!

WEBINAR INVITE 8th & 10th September: 5G Performing At The Edge

Don't miss the only 5G and edge performance-focused event in the industry!

Edge computing will play a critical part within digital transformation initiatives across every industry sector. It promises operational speed and efficiency, improved customer service, and reduced operational costs.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

But these technologies will only reach their full potential with assured delivery and performance – with a trust model in place.

With this in mind, we are pleased to announce a two-part digital event, sponsored by Accedian, on the 8th & 10th of September titled 5G: Performing at the Edge.

REGISTER HERE!

BACK TO HOME PAGE
Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments