The services layer was particularly interesting because it was further broken down into multiple components, each implementing a different functionality in the PLC runtime and then every component had different available services (commands) that could be called in the runtime. For example, many of the remote code execution flaws were found in the CmpTraceMgr component which supports the following services:
- TraceMgrPacketCreate creates a new trace packet.
- TraceMgrPacketDelete deletes a trace manager packet.
- TraceMgrPacketStart starts tracing, which is triggered by the TraceTrigger.
- TraceMgrRecordUpdate records the current value of the TraceVariable together with the current timestamp.
- TraceMgrRecordAdd creates a new TraceRecordConfiguration and adds it to a specific trace packet for a specific IEC task/application.
Furthermore, the data is transmitted via tags, which are essentially data structures that are extracted by the component and sent to the service. For example, TraceMgrRecordAdd activates the relevant service and will attempt to copy data from specified tags into an output buffer. The problem is the tag is copied into the memory buffer without any size validation, leading to a classic buffer overflow.
Buffer overflow vulnerabilities can be exploited to insert attacker-controlled code into the memory buffer and then have that code executed, leading to arbitrary code execution. If this can be achieved remotely, like in this case because the exploit is delivered through a network protocol, it’s remote code execution.
The limitations in this case is that sending requests to a PLC over the CODESYS protocol requires authentication. The Microsoft researchers got past this limitation by exploiting an older vulnerability in CODESYS, CVE-2019-9013, that allows intercepting plain text credentials during log-in and using them to launch a replay attack.
How to mitigate the CODESYS vulnerabilities
“CODESYS GmbH strongly recommends using the online user management,” CODESYS said in its advisory for the vulnerabilities found by Microsoft. “This not only prevents an attacker from sending malicious requests or downloading virulent code, but also suppresses starting, stopping, debugging or other actions on a known working application that could potentially disrupt a machine or system. As of version V3.5.17.0, the online user management is enforced by default.”
In addition to bypassing authentication, the researchers also had to defeat OS and application-level memory protections that are designed to make buffer overflow exploitation harder, such as data execution prevention (DEP) and address space layout randomization (ASLR). The researchers demonstrated their exploits on a Schnieder Electric TM251 controller and a Wago PFC200 device, both of which had both DEP and ASLR enabled, and the process is fully documented in a research paper. They also developed an open-source ICS forensics framework to enable asset owners to identify impacted devices, receive security recommendations for those devices, and identify suspicious artifacts in PLC metadata and project files.