Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Researchers from Claroty’s Team82 discovered a deserialization vulnerability, CVE-2022-23450, in Siemens’ SIMATIC Energy Manager (EnMPro) product. The critical vulnerability, with a CVSS v3 score of 10.0, was resolved in EnMPro V7.3 Update 1 and later versions. Prior versions are also affected by this flaw, allowing remote code execution and full control over an EnMPro server. Exploiting the vulnerability could enable an attacker to execute malicious code before the authentication process begins.
Given the severity of the vulnerability, Team82 has chosen to delay disclosing any technical details until now to give users time to update, Noam Moshe disclosed in a blog post. “We privately disclosed our vulnerability to Siemens, which patched the vulnerability in V7.3 Update 1, and in later versions. All versions up to V7.3 contain this vulnerability. An attacker who successfully exploits this vulnerability can gain complete control over an EnMPro server,” he added.
Siemens urges users to update to V7.3 Update 1 or later as all versions up to V7.3 contain this vulnerability.
Siemens EnMPRO is a software used within plants to manage and visualize energy flow and consumption values, compare energy efficiency, and strategize an energy plan accordingly, Moshe detailed. “Behind the scenes, EnMPRO is a [dot]NET service (called BDataWIndowsService) composed of a [dot]NET executable, listening on port TCP/4444. This executable handles most of the EnMPRO server’s core functionality, allowing clients to connect to it remotely using a proprietary messaging protocol,” he added.
Using this protocol, clients can invoke different functionality in the server, including retrieving or altering data in the server, calling different functions, and creating graphical interfaces or periodic procedures.
“Throughout our research into EnMPro, we were able to identify several critical vulnerabilities in EnMPro’s web server and desktop application,” Moshe outlined. “These vulnerabilities, when exploited, could result in a malicious actor compromising and even gaining full control over the server running EnMPro. In this blog, we describe our research process and provide some technical details about the most severe vulnerability, CVE-2022-23450.”
Moshe added that the vulnerability is a classic deserialization bug found in EnMPro’s use of a [dot]NET BinaryFormatter class. BinaryFormatter, according to Microsoft, should not be used to deserialize objects, especially those coming from user input. Its usage puts instances of SIMATIC Energy Manager at risk of remote attackers executing code of their choice, giving them full control over these servers.
To allow remote users to interact with the main EnMPRO server, Siemens created a very simple network protocol over TCP/4444, allowing the desktop application (Client UI DocLiber[dot]exe) to interact with the main server’s application (BDataWindowsService[dot]exe).
“We reverse engineered the server’s binaries, as well as looked at a dump of the network communication statically, trying to understand and eventually reconstruct the protocol’s messages and capabilities,” according to Moshe. “We looked at different functionalities the user can invoke through the client, and watched how the packets would change, trying to better understand different fields of the message.”
Team82 discovered that after a short protocol-specific handshake and session creation, most EnMPro messages implement a structure, which the research team details in different colors. Packet Size consists of the first four bytes of each packet which are the packet’s size (excluding the packet size header), sent in a Little-endian byte order.
After the packet size, the next four bytes are a bitmap specifying different flags for this packet. Flags include indicators of whether the packet is compressed (using GZIP) if the packet is chunked, etc. The next byte in the packet represents the type of the packet. This byte is an enum, and it decides what is the message type, and what fields/members should be sent inside the message.
After the packet type is read, the server/client will try to construct the message using the correct message type deserializer. Message Contents contains the actual message data, which will be read and parsed using the correct message parser. The message contains the different fields/members used by this specific message type.
Siemens has fixed a critical remote code execution vulnerability in its EnMPro product, used in plants to monitor energy consumption within processes.
“Our proof-of-concept exploit initiates a session with the server before sending a malicious serialized class that is then deserialized by the server, resulting in arbitrary remote code execution,” Moshe said. “The attack is carried out pre-authentication, meaning an attacker would not need to have a previous foothold on the server.”
This vulnerability was assessed with a CVSS v3 score of 10.0 and was addressed in EnMPro V7.3 Update 1 and later. All previous versions carry this vulnerability.
Earlier this month, Claroty’s Team82 detailed the Blackjack hacking group, believed to be affiliated with Ukrainian intelligence services, and claims to have carried out a cyberattack that has damaged emergency detection and response capabilities in Moscow and beyond the Russian capital. Additionally, the website ‘ruexfil.com’ hosts a trove of extensive information about the Moscollector attack, including the Fuxnet malware Blackjack said it used to damage the Moscollector network operations center. The attackers also posted screenshots of monitoring systems, servers, and databases they say have been wiped and rendered unusable.
Related
