Vedere Labs updates OT:ICEFALL findings, adds three more vulnerabilities in Festo automation controllers, CODESYS equipment

Forescout’s Vedere Labs identified three new vulnerabilities affecting OT (operational technology) products from two German vendors – Festo automation controllers and the CODESYS runtime, which is used by hundreds of device manufacturers in different industrial sectors, including Festo. These security loopholes add to the earlier 56 vulnerabilities caused by insecure-by-design practices affecting devices from ten OT vendors, including Baker Hughes (Bentley Nevada), Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.

“As in the original OT:ICEFALL disclosure, these issues exemplify either an insecure-by-design approach— which was usual at the time the products were launched – where manufacturers include dangerous functions that can be accessed with no authentication or a subpar implementation of security controls, such as cryptography,” Vedere Labs researchers wrote in a Tuesday blog post. 

The Vedere Labs disclosure involved the affected manufacturers and the CERT@VDE, a German security platform for small and medium-sized automation companies. Tracked under CVE-2022-4048, the CODESYS V3 before 3.5.18.40 uses weak cryptography for download code and boot applications and could lead to logic manipulation. 

The CVE-2022-3079 disclosure covers Festo CPX-CEC-C1 and CPX-CMXX Codesys V2 controllers, though CPX-CMXX was phased out in 2015. It adds that the vulnerability could allow unauthenticated, remote access to critical webpage functions, which may cause a denial of service. The third vulnerability, tracked under CVE-2022-3270 affects Festo controllers using the Festo Generic Multicast (FGMC) protocol allowing for an unauthenticated reboot of controllers over the network. The security loophole can lead to denial of service. 

“These issues are similar to others we have recently disclosed as part of OT:ICEFALL. CVE-2022-4048 is an example of weak cryptography, CVE-2022-3079 exemplifies lack of authentication and CVE-2022-3270 falls in the category of insecure engineering protocols,” according to the researchers. 

The official website of CODESYS identifies it as the leading IEC 61131-3 automation suite, running on several million devices of approximately 1,000 models from over 500 manufacturers. The devices are deployed across the manufacturing, energy automation, and building automation industries. “Although these devices are typically not supposed to be exposed online, we see almost 3,000 devices running CODESYS when querying the Shodan search engine (‘port:2455 operating system’),” the researchers revealed.

Festo CPX is an automation platform for electric and pneumatic systems. CPX-CEC-C1 and CPX-CMXX controllers run CODESYS V2, while newer versions run CODESYS V3 and provide capabilities for Industry 4.0, such as remote I/O and cloud connection. “On the Forescout Device Cloud – a repository of data from 19 million devices monitored by Forescout appliances – we see close to 1,000 Festo controllers, used overwhelmingly within manufacturing,” the research revealed.

The CODESYS V3 runtime environment offers application encryption to ensure download code and boot applications are encrypted. The encryption can be facilitated by using the Wibu-Systems CodeMeter security dongle, in which case the EncryptDownloadCode routine will generate a session key, encrypt it with the dongle key, encrypt the download code with the session key and finally package the encrypted session key and code ciphertext together. 

However, the researchers at Vedere Labs said that the approach has been identified to contain limitations. The session keys are generated using an insecure pseudo-random number generator (PRNG) working off a tiny and predictable seed. 

EncryptDownloadCode generates session keys using the dotnet Random Class – not a secure PRNG – seeded with the current tick count, which is predictable and reduced to 31 bits through a signed integer cast. The session key is then encrypted through interfacing with the dongle component. 

Next, the session key is used, together with a NULL-IV, to encrypt the download code using advanced encryption standard (AES) in electronic code book (ECB) mode on a block-by-block basis. Even though the session key is encrypted using the dongle before being shipped with the ciphertext, the session key itself is generated insecurely. Since the effective keyspace is only 31 bits, an attacker can simply brute force the session key to decrypt the downloaded code for manipulation.

The researchers also found that the encryption scheme uses an insecure mode of operation. “The code is encrypted in ECB mode without additional cryptographic authentication and integrity over the ciphertext. This means that both confidentiality and integrity are compromised regardless of session key strength,” they added.

The Vedere Labs researchers also found that Festo CPX-CEC-C1 controllers and several other Festo devices are affected by known CODESYS vulnerabilities CVE-2022-31806 and CVE-2022-22515 because they are shipped with an unsafe configuration of the CODESYS runtime environment. “This is yet another example of a supply chain issue where a vulnerability has not been disclosed for all the products it affects, as we have seen in OT:ICEFALL with CVE-2014-9195 affecting ProConOS,” they added.

The OT:ICEFALL vulnerabilities impact major OT/ICS products, including SCADA systems, PLCs, Distributed Control Systems (DCS), engineering workstations, Human-Machine Interfaces (HMIs), Building Management Systems (BMS), Safety Instrumented Systems (SIS) which, SIS protect life and safety of personnel, Chris Warner, senior security consultant for OT governance and risk at GuidePoint Security, wrote in an emailed statement. “Exploiting the vulnerabilities can lead to remote code execution, firmware manipulation, and authentication bypass creating a greater risk that could cause catastrophic events in life, health, safety, reputation, production, and financial impacts.”

“Asset owners must rely on manufacturers of OT equipment for secure products and secure designs from system integrators,” according to Warner. “The IEC 62443-4-1 has secure product development requirements and IEC 62443-4-2 has technical security requirements for Industrial Automation Control Systems (IACS) components. OT/ICS Manufacturers should leverage the IEC 62443 framework to ensure a minimum level of security,” he added.

Keeping in mind that patching or replacing OT devices is notoriously difficult due to their mission-critical nature, the researchers from Vedere Labs proposed a couple of mitigation actions. These include discovering and carrying out an inventory of vulnerable devices. They also suggested enforcing segmentation controls and proper network hygiene to mitigate the risk from vulnerable devices, while restricting external communication paths and isolating or containing vulnerable devices in zones as a mitigating control if they cannot be patched or until they can be patched.

Furthermore, OT environments could monitor all network traffic for malicious packets that try to exploit known vulnerabilities or possible zero-days, the researchers said. Anomalous and malformed traffic should be blocked, or at least alert its presence to network operators. Forescout has developed an eyeInspect script specifically designed to monitor CODESYS V3 traffic and potentially dangerous operations using the protocol, including changes to a PLC’s logic that would be done by exploiting CVE-2022-4048.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.