Vulnerability Affects Siemens SIMATIC S7-1200 and S7-1500 CPU
Siemens has released patches for certain automation products that have a critical memory protection vulnerability, which attackers could exploit to run arbitrary code to access memory areas, enabling them to read sensitive data and use it to launch further attacks, according to a company advisory.
The alert notes the vulnerability, tracked as CVE-2020-15782, is ranked 8.1 – which is highly critical. It affects seven products in the Siemens automation product series SIMATIC S7-1200 and S7-1500 CPU.
The company released updates for the affected products and has urged customers to immediately implement the patches. “Siemens is preparing further updates and recommends specific countermeasures for products where updates are not yet available,” the company states.
The company did not immediately respond to Information Security Media Group’s request for additional information on whether there have been any successful exploits of the flaw.
Jailbreaking the Flaw
Security firm Claroty, which analyzed the vulnerability, says it was able to jailbreak a Siemens product by exploiting the flaw.
“The holy grail in PLC [programmable logic controller] vulnerability research, from the attacker perspective, is to achieve unrestricted and undetected code execution on the PLC,” Claroty states. “We demonstrate a new and sophisticated remote attack that allows us to gain native code execution on Siemens S7 PLCs.”
Claroty says it was able to jailbreak a device by escaping the user sandbox and then writing a shellcode into protected memory regions. “Escaping the sandbox means an attacker would be able to read and write from anywhere on the PLC,” Tal Keren, a Claroty security researcher, writes. “This malicious shellcode, when executed, gave us remote code execution. We used this technique to install a kernel-level program with some functionality that is completely hidden to the operating system.”
Siemens has strongly advised users of the affected products to take risk mitigation steps, including:
- Enable password protection for S7 communication and configure additional access protection for the devices, such as using built-in security capabilities;
- Block remote client connections, even when the client can provide the correct password;
- Prevent physical access to critical components;
- Ensure the vulnerable systems are not connected to untrusted networks.
Hackers have previously compromised vulnerable SIMATIC devices. For example, the 2010 Stuxnet malware attack against Iranian nuclear facilities targeted Siemens’ SIMATIC S7-300 and S7-400 devices (see:
A Flaw Used by Stuxnet Wasn’t Fully Fixed).
“Stuxnet was able to hide the code alteration on the PLC by manipulating binaries on the local engineering station,” Keren says. “Doing so allowed the malware to not only stealthily install itself on PLCs, but also shield itself from WinCC when the control software attempted to read infected memory blocks from the PLC.”
Soon after, a group of security researchers from Israel demonstrated how they could target Siemens industrial control system using a technique called rogue engineering-station attack, in which they could remotely start or stop the system.