Security Flaws in Software-Based PLC Enable Remote Code Execution on Windows Box
By The Claroty Research Team | May 14, 2020
A US-CERT advisory was issued today for multiple vulnerabilities discovered by Claroty researcher Mashav Sapir. The vulnerabilities affect Opto 22’s SoftPAC Project versions 9.6 and prior.
SoftPAC is a software-based programmable logic controller (PLC) used widely among companies in the power generation and manufacturing sectors. Successful exploitation of the discovered vulnerabilities could enable an adversary to start or stop service, execute malicious code remotely, and/or limit system availability.
However, since the underlying problems related to the discovered vulnerabilities are not unique to SoftPAC, the Claroty Research Team believes other software-based PLCs may face similar problems.
Software-based PLCs’ OT security challenge
Standalone, hardware-based PLCs often were not designed with security in mind, but they benefit from the relative obscurity of running on proprietary OT protocols. In contrast, since software-based PLCs run on Windows machines, their potential exposure to cyber threats is far greater. Software-based PLCs present numerous advantages in terms of productivity, flexibility, reporting, testing, and development, but they can also serve as an entry point for attackers wishing to compromise OT environments.
To help prevent their products from being exploited as attack vectors, PLC vendors should sign and verify their firmware files and establish security controls that reject non-signed files. Without this protection in place, an attacker can replace firmware files with malicious files, either as an infection vector or as a means of gaining persistence within an OT environment that has already been compromised.
Understanding the uncovered SoftPAC vulnerabilities
The SoftPAC PLC runs as a SYSTEM service on Windows machines which is not directly accessible by end users. Rather, SoftPAC vendor Opto 22 provides end users with a different program, SoftPAC Monitor, which allows them to easily control and manage the SoftPAC PLC via another service called SoftPAC Agent.
SoftPAC Monitor allows users to start/stop the PLC service and update the SoftPAC firmware by sending commands to SoftPAC Agent via TCP Port 22000. SoftPAC Agent is only intended to listen to commands from SoftPAC Monitor, but it also listens to 0.0.0.0, a non-routable meta-address used to designate an invalid or unknown targets. Under certain conditions, this could allow attackers to establish external remote connections with SoftPAC Agent (see diagram below).
Diagram: SoftPAC Agent is designed to manage SoftPAC PLC based on user commands received from SoftPAC Monitor, but under the right circumstances, it could be manipulated by an attacker via external remote connections.
Since the protocol used by SoftPAC Agent does not require any form of authentication, a remote attacker could potentially mimic SoftPAC Monitor, establish a remote connection, and execute start/stop service or firmware update commands. While an attacker could use start/stop commands to cause costly and potentially dangerous operational changes, the firmware update command is an area of even greater concern.
Through his research, Sapir determined that when SoftPAC Monitor issues firmware update commands, it sends SoftPAC Agent the path of the new firmware zip file, which wraps the executable file. Neither the firmware update zip file sent by SoftPAC Monitor nor the executable file contained within it are signed. As such, an attacker could send a malicious firmware update command via TCP Port 22000, and SoftPAC Agent would readily receive, extract, and install the executable.
Furthermore, the paths within firmware updates sent by SoftPAC Monitor are not sanitized. This results in a ‘zip slip’ vulnerability during the file’s extraction process, allowing an attacker to achieve arbitrary file write with SYSTEM privileges, which can be easily leveraged to execute malicious code.
In a lab environment, Claroty researchers chained the security flaws described above with DLL hijacking tactics to achieve full code execution in SoftPAC Agent with SYSTEM privileges.
Proof-of-concept GIF of fully chained attack carried out by Claroty’s white-hat researchers in a lab environment.
After initiating a connection with SoftPAC Agent, Claroty researchers used this connection to check whether SoftPAC PLC was currently running. Next, they sent a stop command to SoftPAC Agent to stop SoftPAC PLC. After stopping the PLC, they sent a firmware update command containing a network path to a malicious zip file. SoftPAC Agent extracted the zip file and dropped the malicious dynamic-link library (DLL) file it contained and placed in the same directory as SoftPAC’s executable. After delivering the malicious file, Claroty researchers sent a command to restart SoftPAC PLC, causing the malicious DLL to load, thus executing the code with SYSTEM privileges.
Uncovered SoftPAC CVEs in detail
As part of the Claroty Research Team’s ongoing efforts to identify security flaws within OT environments, Sapir discovered the following CVEs in SoftPAC:
External control of filename or path (CVE-2020-12042): Paths specified within the zip files used for SoftPAC firmware updates are not sanitized. As such, an attacker with user privileges can gain arbitrary file write access with system access.
Improper verification of cryptographic signature (CVE-2020-12046): SoftPAC does not verify firmware files’ signatures during firmware updates, allowing an attacker to replace legitimate firmware files with malicious files.
Improper access control (CVE-2020-10612): SoftPAC Agent communicates with SoftPAC Monitor over network TCP Port 22000, an open port with no restrictions. This allows attackers with network access to control SoftPAC Agent’s behavior with remote commands including firmware updates, starting or stopping service, or writing to certain registry values.
Uncontrolled search path element (CVE-2020-10616): Since SoftPAC does not specify the path of multiple .dll files, an attacker can replace them and execute code whenever the service starts.
Improper authorization (CVE-2020-10620): Since its communications do not include any credentials or authentication, attackers with network access can communicate directly with SoftPAC.
The MITRE ATT&CK classifications for attacks utilizing these CVEs include:
If this update is not immediately feasible, CISA recommends the following measures for minimizing the likelihood of these vulnerabilities being exploited within your environment:
Monitor or restrict TCP Port 22000 at the firewall.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
To learn more about how Claroty can help your team discover and mitigate vulnerabilities within your OT environment, request a demo.