Kaspersky ICS CERT to Eliminate Bugs in Popular Automated Industrial System Software

Woburn, MA – September 18, 2019 –KasperskyICS CERT researchers have discovered several vulnerabilities in a popular framework used for developing industrial devices including Programmable Logic Controllers (PLC) and Human-Machine Interface (HMI). The uncovered vulnerabilities allow attackers to conduct covert destructive remote and local attacks on the organization where PLCs developed through this vulnerable framework are used. The framework was developed by CODESYS® and vulnerabilities were remedied following a report from Kaspersky.

PLC devices automate processes previously performed manually or with help of complex electro-mechanical devices. In order to make a PLC work correctly, devices should be programmed via a special software framework that helps engineers code and upload process automation program instructions into PLC. This also provides a runtime execution environment for the PLC program code, and the software is used across various environments including production, energy generation, smart city infrastructures and more.

Kaspersky ICS CERT researchers investigated a sophisticated and powerful tool designed for developing and controlling PLC programs. As a result, they were able to identify more than a dozen security issues in the main network protocol of the framework and the framework runtime, four of which were recognized as particularly serious and were assigned with separate IDs: CVE-2018-10612, CVE-2018-20026, CVE-2019-9013, and CVE-2018-20025.

Depending on the flaws exploited, an attacker could intercept and forge network command and telemetry data flaws, steal and reuse passwords and other authentication information, inject malicious code into runtime and elevate the attacker’s privileges in the system as well as other unauthorized actions, all while effectively hiding their presence in the attacked network. This means that an attacker would be able to either corrupt the functionality of PLCs at a particular facility or gain full control while staying under the radar of the operation technology personnel of the attacked facility.

Cyberattacks can also disrupt operations or steal sensitive data such as intellectual property, factory production capabilities or new products in production. In addition, these attacks can oversee the operations of the facility and gathering other intelligence that may be considered sensitive in the attacked organization.

Upon discovery, Kaspersky immediately reported these issues to the vendor of the affected software. All reported vulnerabilities are now fixed and patches are available for framework users.

“The vulnerabilities we discovered provided an extremely wide attack surface for potentially malicious behavior and, given how widespread the software in question is, we are grateful to the software vendor for their prompt response and ability to swiftly fix these issues,” said Alexander Nochvay, security researcher at Kaspersky ICS CERT. “We would like to think that as a result of this research we were able to make the job for attackers significantly harder. However, many of these vulnerabilities would have been discovered earlier if the security community were involved in the development of network communication protocol at earlier stages. We believe collaboration with the security community should become an ongoing practice for developers of important components for industrial systems including both hardware and software.”

"Product security is of utmost importance to the CODESYS Group. We therefore appreciate the comprehensive research results provided by Kaspersky – they help us to make CODESYS even securer," said Roland Wagner, head of product marketing at CODESYS Group. "For many years now, we have been investing considerable technical and administrative efforts to permanently improve the security features of CODESYS. All detected vulnerabilities are immediately investigated, assessed, prioritized and published in a security advisory. Fixes in form of software updates are promptly developed and immediately made available to all CODESYS users in the CODESYS Store."

To learn more about the research read the full paper on the Kaspersky ICS CERTwebsite.

About Kaspersky ICS CERT

Kaspersky Industrial Control Systems Cyber Emergency Response Team (Kaspersky ICS CERT) is a global project launched by Kaspersky in 2016 to coordinate the efforts of automation system vendors, industrial facility owners and operators, and IT security researchers to protect industrial enterprises from cyberattacks. Kaspersky ICS CERT devotes its efforts primarily to identifying potential and existing threats that target industrial automation systems and the Industrial Internet of Things. Since its inception, the team identified over 200 critical vulnerabilities in products by major global ICS vendors. Kaspersky ICS CERT is an active member and partner of leading international organizations that develop recommendations on protecting industrial enterprises from cyberthreats. ics-cert.kaspersky.com

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Media Contact:
Cassandra Faro
Cassandra.Faro@Kaspersky.com
781-503-1812