ClickCease Trio of new flaws exploited to target automated industrial controllers

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Trio of new flaws exploited to target automated industrial controllers

Obanla Opeyemi

December 14, 2022 - TuxCare expert team

Vedere Labs researchers recently discovered three new security flaws in a long list of flaws collectively tracked as OT:ICEFALL.

The flaws are said to affect operational technology (OT) products from two German vendors, Festo and CODESYS, and can be used to attack automated industrial controllers and a popular piece of software used to program millions of smart devices in critical infrastructure, and could impact device manufacturers across various industrial sectors.

These bugs are tracked as CVE-2022-4048, and they affect CODESYS V3 version 3.5.18 and manipulate it logically. The CVE-2022-3079 vulnerability, which affects Festo CPX-CEC-C1 and CPX-CMXX Codesys V2 controllers, allows unauthenticated, remote access to critical webpage functions, potentially resulting in a denial of service. CVE-2022-3270 Festo controllers using the FGMC protocol allow for unauthenticated network controller reboot.

They all point to either an insecure-by-design approach, in which manufacturers include dangerous functions that can be accessed without authentication, or a poor implementation of security controls, such as cryptography.

Application encryption is provided by the CODESYS V3 runtime environment to ensure that download code and boot applications are encrypted. The CODESYS runtime is used by hundreds of device manufacturers worldwide, including Festo. CODESYS V3 prior to version 3.5.18.40 was discovered to use weak cryptography for download code and boot applications, allowing attackers to decrypt and manipulate protected code with ease by brute forcing session keys.

The Festo CPX-CEC-C1 and CPX-CMXX controllers, on the other hand, allow unauthenticated remote access to critical webpage functions. Anyone with network access to a controller can navigate to a hidden web page on the controller’s filesystem, causing the controller to reboot and potentially causing a denial of service.

Furthermore, Festo controllers that use the Festo Generic Multicast (FGMC) protocol allow for unauthenticated controller reboots and other sensitive operations. The Festo Field Device Tool, which communicates via FGMC, can achieve the same effect. The PLC Browser tool, which allows operators to issue commands, can also be used to reboot controllers without requiring authentication.

Recommendations to Reduce Risk Due to the difficulty of patching or replacing OT devices due to their mission-critical nature, Forescout recommends that organizations implement mitigation strategies that prioritize securing their increased attack surface based on up-to-date threat intelligence.

Besides that, the research discovered that a number of Festo devices, including its CPX-CEC-C1 controllers, were shipped with CODESYS configurations that make them vulnerable to a pair of older, previously disclosed software flaws.

The sources for this piece includes an article in SCMedia.

Summary
Trio of new flaws exploited to target automated industrial controllers
Article Name
Trio of new flaws exploited to target automated industrial controllers
Description
Vedere Labs researchers recently discovered three new security flaws in a long list of flaws collectively tracked as OT:ICEFALL.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023