Industrial cybersecurity company Claroty has discovered a severe memory protection bypass vulnerability in Siemens programmable logic controllers (PLC) that could enable attackers to remain undetected while running code of their choice.
Claroty has been able to achieve native code execution on the Siemens SIMATIC S7-1200 and S7-1500 PLC CPUs by bypassing the PLC sandbox within the chips to run native code in protected areas of memory.
The discovery, disclosed as an outcome of Siemens’ and Claroty’s existing partnership on industrial cybersecurity, is the first to achieve unrestricted and undetected code execution on the PLC.
Escaping the sandbox means an attacker would be able to read and write from anywhere on the PLC, and could patch an existing VM opcode in memory with malicious code to root the device, Claroty said.
The discovery builds on the previous attempts to exploit Siemens PLC systems with remote code execution — including Stuxnet, which gained user-level code execution, and the Rogue7 attack, which involved creating a rogue engineering station which can masquerade as the TIA portal to the PLC and inject any messages favourable to the attacker.
Siemens has issued an official advisory notifying users of the vulnerability, and has released updates for products including the two CPUs that remediate the vulnerability. Where an update cannot be applied, the company has also provided mitigation measures that can reduce the risk of attack.