EDITOR'S NOTE (11/30/2022): This story has been updated with additional details and quotes from Aleg Vilinski, vice-head of Festo's product security incident response team.
Researchers at Vedere Labs disclosed a trio of new security vulnerabilities that can be used to attack automated industrial controllers and a popular piece of software used to program millions of smart devices in critical infrastructure.
The bugs (tracked under CVE-2022-4048, CVE-2022-3079 and CVE-2022-3270) allow for logic manipulation and denial of service, primarily impacting products from two major German vendors: Festo automated controllers and CODESYS runtime, an application that allows developers to program smart devices and is, according to Vedere Labs, “used by hundreds of device manufacturers in different industrial sectors.”
The flaws are part of OT Icefall, a broader research project undertaken by Vedere Labs to raise the visibility of security vulnerabilities in operational technology responsible for controlling the machinery powering much of our critical infrastructure, from manufacturing plants and telecommunications to clean water and electricity. The company disclosed nearly 60 such vulnerabilities earlier this year affecting more than a dozen major industrial products and equipment.
Daniel Dos Santos, head of security research at Vedere Labs, told SC Media that the weaknesses the three vulnerabilities exploit — poor cryptography, lack of authentication and insecure engineering — are among the most common ones discovered through the project and illustrate longstanding core security and supply chain challenges throughout many industrial sectors.
“This falls into that continuum of vulnerabilities that we are finding in the specific area [of] OT devices and insecurity by design,” Dos Santos told SC Media an interview. “The fact that there are engineering protocols and functions without authentication that allow for a lot of critical operations to be performed by attackers on devices, or in some cases the fact that some security controls with cryptography are just not done at a quality that you would expect. [They’re] really critical devices and there are some very basic mistakes there.”
In this case, an attacker could take advantage of weak, built-in cryptographic protocols in CODESYS to decrypt or manipulate protected code, or leverage authentication failures in the CPX-CEC-C1 V2 model of Festo controllers to access a previously hidden web application page that allows them to persistently reboot the device, effectively shutting it down. The same flaw also affects CPX-CMXX controllers, but Aleg Vilinski, vice-head of Festo's product security incident response team, told SC Media that model has been phased out since 2015.
Dos Santos said the hidden web application page still being accessible for Festo controllers was “interesting” because it demonstrates a larger problem: how “these undocumented features, often [put in place] for testing purposes or things like that, they’re still left on devices, [even though] there’s not really much utility in having that on a device.”
While denial of service attacks can often be little more than a nuisance for many companies and IT environments, they can be particularly dangerous for OT equipment and critical infrastructure entities that must operate around the clock. So far, Vedere Labs has found and reported at least three different ways to exploit the vulnerability and force a reboot for Festo programmable logic controllers.
One of the vulnerabilities, affecting multiple Festo controllers (CVE-2022-3270), comes with a 9.8 CVSS score for severity. That’s in part because the affected protocol controls a host of other critical functions that could allow an attacker to completely take over the confidentiality, availability and integrity of the device. While Vedere Labs only went as a far as testing the bug for its denial of service capabilities before reporting it to Festo, Dos Santos said it is possible it could also allow an attacker to remotely execute arbitrary code.
Vilinski said this vulnerability does not have the same level of impact on every controller listed in their advisory, and some of the products listed are not able to be accessed remotely.
"Even though it’s true that the CVE-2022-3270 has a 9.8 CVSS...not all products listed there have a score of 9.8. This comes from the fact that not all controllers listed there are using all features, only those with 9.8 are [able] to remotely execute arbitrary code," Vilinski wrote in an emailed response to questions. "Furthermore, the list in the FSA-202209 does not include all Festo controllers as not all controllers have the protocols in use. Therefore, just one-fourth of the listed controllers have this problem."
Additionally, the research found a number of Festo devices — including its CPX-CEC-C1 controllers — were shipped with CODESYS configurations that make them vulnerable to a pair of older, previously disclosed weaknesses in the software.
Interest in tackling some of the systemic issues around securing operational technology and critical infrastructure has risen substantially among policymakers in recent years, as incidents like the Colonial Pipeline and JBS ransomware attacks have underscored just how easily a cyberattack on a single industrial provider can disrupt or slow down vital societal services like gas and food around the country.
One of the most enduring problems is a main focus for Icefall: the proliferation of “insecure by design” operational technologies and equipment that were developed before industries became broadly aware of the cybersecurity risks it created.
At the Department of Energy, officials are looking to leverage as much as $62 billion in federal funding over the next decade to ensure that as states and energy companies go about replacing their equipment, machinery and operational technology with more climate-friendly alternatives, they are also working to undo some of the early design mistakes that have plagued industry cybersecurity for decades.
“From my vantage point, we honestly have a strategic opportunity like we’ve never had before. We’re seeing this revolution of particularly clean energy systems that are going to be coming online and we have an opportunity to actually build in cybersecurity rather than trying to bolt it on that we’ve done in so many other sectors, including the energy sector, for too long,” said Puesh Kumar, director of the Office Cybersecurity, Energy Security and Emergency Response, in July.