Team82 Research
A US-CERT advisory was issued today for multiple vulnerabilities discovered by Team82's Mashav Sapir. The vulnerabilities affect Opto 22's SoftPAC Project versions 9.6 and prior.
SoftPAC is a software-based programmable logic controller (PLC) used widely among companies in the power generation and manufacturing sectors. Successful exploitation of the discovered vulnerabilities could enable an adversary to start or stop service, execute malicious code remotely, and/or limit system availability.
However, since the underlying problems related to the discovered vulnerabilities are not unique to SoftPAC, Team82 believes other software-based PLCs may face similar problems.
Standalone, hardware-based PLCs often were not designed with security in mind, but they benefit from the relative obscurity of running on proprietary OT protocols. In contrast, since software-based PLCs run on Windows machines, their potential exposure to cyber threats is far greater. Software-based PLCs present numerous advantages in terms of productivity, flexibility, reporting, testing, and development, but they can also serve as an entry point for attackers wishing to compromise OT environments.
To help prevent their products from being exploited as attack vectors, PLC vendors should sign and verify their firmware files and establish security controls that reject non-signed files. Without this protection in place, an attacker can replace firmware files with malicious files, either as an infection vector or as a means of gaining persistence within an OT environment that has already been compromised.
The SoftPAC PLC runs as a SYSTEM service on Windows machines which is not directly accessible by end users. Rather, SoftPAC vendor Opto 22 provides end users with a different program, SoftPAC Monitor, which allows them to easily control and manage the SoftPAC PLC via another service called SoftPAC Agent.
SoftPAC Monitor allows users to start/stop the PLC service and update the SoftPAC firmware by sending commands to SoftPAC Agent via TCP Port 22000. SoftPAC Agent is only intended to listen to commands from SoftPAC Monitor, but it also listens to 0.0.0.0, a non-routable meta-address used to designate an invalid or unknown targets. Under certain conditions, this could allow attackers to establish external remote connections with SoftPAC Agent (see diagram below).
Since the protocol used by SoftPAC Agent does not require any form of authentication, a remote attacker could potentially mimic SoftPAC Monitor, establish a remote connection, and execute start/stop service or firmware update commands. While an attacker could use start/stop commands to cause costly and potentially dangerous operational changes, the firmware update command is an area of even greater concern.
Through his research, Sapir determined that when SoftPAC Monitor issues firmware update commands, it sends SoftPAC Agent the path of the new firmware zip file, which wraps the executable file. Neither the firmware update zip file sent by SoftPAC Monitor nor the executable file contained within it are signed. As such, an attacker could send a malicious firmware update command via TCP Port 22000, and SoftPAC Agent would readily receive, extract, and install the executable.
Furthermore, the paths within firmware updates sent by SoftPAC Monitor are not sanitized. This results in a 'zip slip' vulnerability during the file's extraction process, allowing an attacker to achieve arbitrary file write with SYSTEM privileges, which can be easily leveraged to execute malicious code.
In a lab environment, Team82 chained the security flaws described above with DLL hijacking tactics to achieve full code execution in SoftPAC Agent with SYSTEM privileges.
After initiating a connection with SoftPAC Agent, Claroty researchers used this connection to check whether SoftPAC PLC was currently running. Next, they sent a stop command to SoftPAC Agent to stop SoftPAC PLC. After stopping the PLC, they sent a firmware update command containing a network path to a malicious zip file. SoftPAC Agent extracted the zip file and dropped the malicious dynamic-link library (DLL) file it contained and placed in the same directory as SoftPAC's executable. After delivering the malicious file, Claroty researchers sent a command to restart SoftPAC PLC, causing the malicious DLL to load, thus executing the code with SYSTEM privileges.
As part of the Claroty Research Team's ongoing efforts to identify security flaws within OT environments, Sapir discovered the following CVEs in SoftPAC:
External control of filename or path (CVE-2020-12042): Paths specified within the zip files used for SoftPAC firmware updates are not sanitized. As such, an attacker with user privileges can gain arbitrary file write access with system access.
Improper verification of cryptographic signature (CVE-2020-12046): SoftPAC does not verify firmware files' signatures during firmware updates, allowing an attacker to replace legitimate firmware files with malicious files.
Improper access control (CVE-2020-10612): SoftPAC Agent communicates with SoftPAC Monitor over network TCP Port 22000, an open port with no restrictions. This allows attackers with network access to control SoftPAC Agent's behavior with remote commands including firmware updates, starting or stopping service, or writing to certain registry values.
Uncontrolled search path element (CVE-2020-10616): Since SoftPAC does not specify the path of multiple .dll files, an attacker can replace them and execute code whenever the service starts.
Improper authorization (CVE-2020-10620): Since its communications do not include any credentials or authentication, attackers with network access can communicate directly with SoftPAC.
The MITRE ATT&CK classifications for attacks utilizing these CVEs include:
Since the vulnerabilities described above only affect SoftPAC Project versions 9.6 and prior, they can be mitigated by updating to the latest version of SoftPAC Project Professional or SoftPAC Project Basic.
If this update is not immediately feasible, CISA recommends the following measures for minimizing the likelihood of these vulnerabilities being exploited within your environment:
Monitor or restrict TCP Port 22000 at the firewall.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
To learn more about how Claroty can help your team discover and mitigate vulnerabilities within your OT environment, request a demo.
CWE-285: IMPROPER AUTHORIZATION
Certain MQTT wildcards are not blocked on the system, which might result in an attacker obtaining data from throughout the system after gaining access to any device.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 6.5
CWE-321: USE OF HARD-CODED CRYPTOGRAPHIC KEY
The devices Power Panel manages use identical certificates based on a hard-coded cryptographic key. This can allow an attacker to impersonate any client in the system and send malicious data.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 6.5
CWE-89: IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL INJECTION')
An attacker with certain MQTT permissions can create malicious messages to all Power Panel devices. This could result in an attacker injecting SQL syntax, writing arbitrary files to the system, and executing remote code.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 8.8
CWE-257: STORING PASSWORDS IN A RECOVERABLE FORMAT
The key used to encrypt passwords stored in the database can be found in the application code, allowing the passwords to be recovered.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 4.9
CWE-489: ACTIVE DEBUG CODE
Hard-coded credentials for the test server can be found in the production code. This might result in an attacker gaining access to the testing or production server.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 9.8
