Forescout releases concluding OT:ICEFALL vulnerabilities report, focus shifts to more mature OT security programs

Forescout Technologies presented Tuesday the three last vulnerabilities in OT:ICEFALL and concluded the project after one year by presenting a new retrospect. The report said that CVE-2022-46680 is the last issue found in the original OT:ICEFALL research and was not made public at the request of the vendor. The vulnerability concerns the plaintext transmission of credentials in a protocol used by power meters from Schneider Electric. By abusing this vulnerability, attackers can compromise credentials and gain control of vulnerable devices.

Through its Vedere Labs arm, Forescout also revealed that CVE-2023-1619 and CVE-2023-1620 are new findings on WAGO controllers using the CODESYS runtime. These vulnerabilities allow for denials of service (DoSs) on the affected devices either by sending specific malformed packets or by sending requests after a user has logged out. The report highlights the need to focus on prioritizing issues based on potential consequences, reducing security risk, and minimizing operational downtime more effectively than relying too heavily on vendor guidance or compensating controls.

“The Schneider Electric ION and PowerLogic product lines use the ION/TCP protocol on port 7700/TCP for communications between a master terminal and energy monitors. This protocol transmits a user ID and password in plaintext with every message, provided this feature is enabled, allowing an attacker with passive interception capabilities to obtain these credentials,” Jos Wetzels and Abdelrahman Hassanien, Forescout researchers, wrote in the final OT:ICEFALL report. 

They added that an attacker who obtains ION or PowerLogic credentials can authenticate to the ION/TCP engineering interface as well as SSH and HTTP interfaces to change energy monitor configuration settings and potentially modify the firmware. If the credentials in question are (re)used for other applications, their compromise could potentially facilitate lateral movement.

To address CVE-2022-46680, as of firmware version 4.0.0 (ION9000, PM8000, ION7400), Schneider Electric introduced Secure ION (on port 7443/TCP), supported by the latest version of ION Setup and in future releases of Power Monitoring Expert (PME), Forescout revealed. “Secure ION uses a TLS tunnel between the energy monitor and master terminal but is disabled by default. In addition, ION sessions (both regular and Secure ION) now use a session token ID to authenticate ION requests to a device,” it added.

Devices that support Secure ION use self-signed certificates by default and require CA-signed certificates to be uploaded during commissioning, according to Forescout. “Invalid security certificates will trigger a warning on part of the engineering software. After a connection has been established, the user sends credentials to the device, which returns a unique, non-transferable token to the engineering software. Subsequent ION requests are validated using the token ID (with session timeout of 5 minutes) instead of the credentials.”

“While we have not looked into the new session mechanism in detail yet, and the approach is not secure-by-default, it does at least present a shift towards secure-by-design for the ION/PowerLogic product lines and attempts to address the root cause of the original vulnerability,” according to the researchers.

CVE-2023-1619 exemplifies the poor design of the protocol parsers integrated into the WAGO 750 controllers and allows authenticated attackers to crash the device by sending malformed packets, Forescout evaluated. “There have been several similar bugs with these protocol parsers in the past. CVE-2019-19789, for example, led to denial of service due to a null pointer dereference in products using CODESYS V2 runtime. Other examples include a set of issues identified in 2019 that could lead to remote code execution and CVE-2020-12522, which was discovered in 2020 but fixed by a silent patch in 2017.”

The report added that CVE-2023-1620 is an example of insufficient session expiration (CWE-613), where an attacker can crash an affected device by sending specific requests after being logged out of the device. “This bug could be fixed by the controller closing the connection after logout to avoid memory-based vulnerabilities. After triggering any of the vulnerabilities, the affected device must be manually rebooted to return to its operating state.”

“We found the vulnerabilities on a WAGO 750-862 controller running firmware version FW0750 0862 V010504, released on February 10, 2022,” Forescout disclosed. “However, both vulnerabilities affect WAGO’s use of the CODESYS V2 runtime, which means they affect more devices than we originally tested as they stem from the flawed integration of a supply chain component.”

Last year, Forescout released OT:ICEFALL, which focused on insecurity-by-design in OT and included 61 vulnerabilities, which affected more than 100 individual products manufactured by 13 vendors. The affected products are known to be prevalent in industries such as oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation. Many of these products are sold as ‘secure by design’ or have been certified with OT security standards. 

Among the vulnerabilities Forescout found, 38 percent allow for the compromise of credentials, 21 percent allow for firmware manipulation, and 14 percent allow remote code execution. Additionally, 74 percent of affected product families have some form of security certification, while risk management is complicated by the lack of CVEs. 

In June, Vedere Labs discovered 56 vulnerabilities caused by insecure-by-design practices affecting devices from ten OT vendors. Collectively called OT:ICEFALL, these security loopholes are divided into four main categories – insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates, and remote code execution via native functionality.  The ‘insecure by design’ problems were found across ten manufacturers, including Baker Hughes (Bentley Nevada), Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.

A November update identified three new vulnerabilities affecting OT products from two German vendors – Festo automation controllers and the CODESYS runtime, which is used by hundreds of device manufacturers in different industrial sectors, including Festo. 

Since 2020, Forescout Vedere Labs has been finding and disclosing high-impact vulnerabilities in IT, OT, and IoT devices. The team began with Project Memoria, a large analysis of TCP/IP stacks, and reported a total of 97 vulnerabilities, including 19 in Ripple20 found by JSOF, 33 in AMNESIA:33, nine in NUMBER:JACK, nine in NAME:WRECK found together with JSOF, 14 in INFRA:HALT found together with JFrog, and 13 in NUCLEUS:13 found together with Medigate.

Reflecting on the state of OT product security, Forescout said in its concluding report that ​​vendors still lack a fundamental understanding of secure-by-design, often releasing low-quality patches, and must improve their security testing procedures. 

“Apart from typical implementation flaws such as plaintext and hardcoded credentials or key material, we encountered several recurring design issues that demonstrated how many OT vendors lack a fundamental understanding of basic security control design principles,” Forescout said. 

Forescout Vedere Labs said in an accompanying blog post that research shows the continuing prevalence of insecure-by-design practices in OT products and highlights that existing security controls are often broken. 

“We found recurring design issues that demonstrate a lack of understanding of basic security control design, such as plaintext and/or hardcoded credentials, client-side authentication, stateful control on stateless protocols, missing critical steps in authentication, broken algorithms and faulty implementations,” according to the post. “In older product lines, some issues persist because of the need for backward compatibility, but some of these problems are also found on newer designs.”

Forescout revealed that vendors often release low-quality patches. “Incomplete patches can lead to the discovery of new vulnerabilities, exemplifying how a bad patch increases risk rather than decreasing it. This situation has previously been acknowledged in IT but is even more critical in OT, where security patches are harder to apply. Patches are often incomplete due to a lack of variant analysis and piecemeal fixes for vulnerabilities, instead of addressing their root causes,” the post added.

The report said that incomplete patches for several issues have led to new vulnerabilities being discovered, which exemplifies how a bad patch increases risk instead of decreasing it. “The shallow nature of many vulnerabilities found casts doubt on the quality of the testing these products are supposed to undergo. In addition, some vendors have a certified software development lifecycle, which leads us to wonder how the bugs were missed by those vendors in the first place,” it added.

Forescout clarified that each of these points reflects the posture of some vendors, but not necessarily every vendor affected by OT:ICEFALL. 

Another phenomenon adversely affecting patch timeliness is silent patches, where a vendor fixes a vulnerability without publishing an advisory or registering a CVE, Forescout identified. “Sometimes silent patches are addressed with a single, non-descriptive line in a release notes file. In other cases, the issues remain unmentioned at all. As a result, OEMs and end users tend to remain ignorant of these issues and do not incorporate these patches into their products.”

The Forescout report said that its findings in OT:ICEFALL demonstrate the need for tighter scrutiny of and improvements to processes related to security design, patching, and testing in OT device vendors. “OT security has reached a state where there are increasing international discussions about the need for more vendor liability and better security by design and by default.”

The report identified that one of the strategic objectives in the U.S. 2023 National Cybersecurity Strategy is to ‘shift liability for insecure software products and services,’ which would entail legislation to establish liability of device vendors for insecure or vulnerable products. Similarly, the EU is working on a Cyber Resilience Act, which has as its first goal to ‘ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle.’ 

The U.K. also recently passed its Product Security and Telecommunications Infrastructure Act, which contains specific sections about IoT security requirements, duties of manufacturers, and potential penalties.

The report also added that “Shifting security efforts left (to guarantee application security at the earliest stages in the development cycle) will also break the current culture of inefficient and disruptive piecemeal patching in OT. Patches aren’t free or without risk in OT; the patch cycle ROI should be maximized as much as possible. Theoretically, this would be addressed through certified secure SDLCs and product security certifications.”

It added “persistence of insecure-by-design in OT and subpar patch quality assurance tend to mean that many security patches deliver minimal risk reduction at significant cost. As a result, some asset owners contend that patching OT vulnerabilities is futile and defenders should focus on compensating controls such as segmentation and network- and host monitoring.”

Based on the abundant evidence gathered and insights gained throughout OT:ICEFALL, Foresecout summed up in its report that it considers “a careful, consequence-driven analysis of which vulnerabilities to patch, in which assets, to be the best approach for organizations with more mature OT security programs.”

Earlier this month, the U.S. Office of Management and Budget (OMB) published an update to a September 2022 memorandum (M-22-18) that focuses on enhancing the security of the software supply chain through secure software development practices. The latest document extends the timeline for the collection of attestations for critical software and non-critical software; clarifies the scope of the earlier memorandum; provides guidance on the use of plans of action and milestones submitted to federal agencies by software producers; and provides future updates to guidance.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.