Critical Flaws in 3rd-Party Code Allow Takeover of Industrial Control Systems | Threatpost

Six critical vulnerabilities have been discovered in a third-party software component powering various industrial systems. Remote, unauthenticated attackers can exploit the flaws to launch various malicious attacks – including deploying ransomware, and shutting down or even taking over critical systems.

The flaws exists in CodeMeter, owned by Wibu-Systems, which is a software management component that’s licensed by many of the top industrial control system (ICS) software vendors, including Rockwell Automation and Siemens. CodeMeter gives these companies tools to bolster security, help with licensing models, and protect against piracy or reverse-engineering.

Wibu-Systems made patches available for all of the flaws in version 7.10 of CodeMeter, on Aug. 11; however, the flaws were only recently disclosed by researchers on Tuesday. Many of the affected vendors have been notified and added – or are in the process of adding – fixes to their installers, said researchers with Claroty who discovered the glitches.

Click to Register

“Successful exploitation of these vulnerabilities could allow an attacker to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code-execution, read heap data and prevent normal operation of third-party software dependent on the CodeMeter,” according to a Tuesday advisory published by ICS-CERT.

Researchers discovered a set of flaws in the CodeMeter WebSocket API (CVE-2020-14519) enabling management of licenses via JavaScript. To exploit the flaws, an attacker would first have to phish or socially-engineer victims to lure them to a site they control.

In one attack scenario, an attacker could target a specific group of engineers looking for advice on a forum dedicated to programmable logic controllers (PLCs), by hosting the malicious payload on a phony or compromised forum. Once the target visits the attacker-controlled website, the threat actors are able to use JavaScript to inject a malicious license of their own onto the target’s machine, researchers said.

“These flaws can be exploited via phishing campaigns or directly by attackers who would be able to fingerprint user environments in order to modify existing software licenses or inject malicious ones, causing devices and processes to crash,” according to Sharon Brizinov and Tal Keren, security researchers with Claroty, in a Tuesday analysis. “Serious encryption implementation issues, also discovered by Claroty, can be exploited to allow attackers to execute code remotely, and move laterally on [operational technology] (OT) networks.”

Another severe flaw (CVE-2020-14509) is a simple buffer-access error, in the packet parser mechanism used by CodeMeter, which does not verify length fields. This flaw has the highest CVSS v3 score possible (10 out of 10), making it critical.

“CVE-2020-14509 is a highly critical vulnerability that poses a great risk to products that are using the third-party component, CodeMeter,” Brizinov told Threatpost. “The vulnerability is a heap buffer overflow memory-corruption flaw, and it could be exploited to gain remote code execution without any prior knowledge of the target machine. All an attacker will need to do is be able to communicate with the target machine via TCP port 22350.”

Another serious bug (CVE-2020-14517) was found in the CodeMeter encryption implementation. This flaw could be  leveraged to attack the CodeMeter communication protocol and internal API, in order to remotely communicate with, and send commands to, any machine running CodeMeter, researchers said.

A breakdown of the CodeMeter WebSocket vulnerability (click to enlarge). Credit: Claroty

The remaining three flaws include an improper input-validation error (CVE-2020-14513) that could force CodeMeter to shut down; an issue in the license-file signature-checking mechanism (CVE-2020-14515) that allows attackers to build arbitrary license files; and an improper-resource shutdown or release vulnerability (CVE-2020-16233).

“Chaining these… bugs allows an attacker to sign their own licenses and then inject them remotely,” said researchers. “Vulnerabilities related to input-validation errors (CVE-2020-14513) could also be exploited to cause industrial gear to crash and be unresponsive, leading to a denial-of-service condition.”

According to ICS-CERT, Wibu-Systems recommends that users update to the latest version of the CodeMeter Runtime (version 7.10). Affected vendors like Rockwell and Siemens have released their own security advisories, but researchers warn that, due to CodeMeter being integrated into many leading ICS products, users may be unaware this vulnerable third-party component is running in their environment.

“CodeMeter is a widely deployed third-party tool that is integrated into numerous products; organizations may not be aware their product has CodeMeter embedded, for example, or may not have a readily available update mechanism,” warned researchers.

Brizinov told Threatpost, researchers have not encountered any active campaigns using these exploits yet. Threatpost has reached out to Wibu-Systems for further comment.

Vulnerabilities in industrial gear has worried the security space due to the dire implications if a critical system is attacked. In July, the U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning that adversaries could be targeting critical infrastructure across the U.S.

In March, security vulnerabilities requiring very little skill to exploit were discovered in ICS devices from Rockwell Automation and Johnson Controls. And in July, researchers warned that remote code-execution flaws in virtual private network (VPN) products could impact the physical functioning of critical infrastructure in the oil and gas, water and electric utilities space.

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.