Critical CODESYS Vulnerabilities In WAGO PFC 200 Series

Title

Critical CODESYS vulnerabilities

Product

WAGO PFC 200 Series

Vulnerable Version

plclinux_rt 2.4.7.0, see "Vulnerable / tested versions"

Fixed Version

PFC200 FW11

CVE Number

Impact

critical

Homepage

https://www.codesys.com

Found

28.07.2017

By

T. Weber (Office Vienna) | SEC Consult Vulnerability Lab

The WAGO PFC200 PLC series based on Linux contain a vulnerable version of the CODESYS runtime (2.4.7.0). The CODESYS process runs with “root” privileges and can be abused in multiple ways to read/write/delete files or to modify the PLC program during runtime without any authentication.

Vendor Description

“The WAGO-I/O-SYSTEM is a flexible fieldbus-independent solution for decentralized automation tasks. With the relay, function and interface modules, as well as overvoltage protection, WAGO provides a suitable interface for any application.”

Source: http://global.wago.com/en/products/product-catalog/components-automation/overview/index.jsp

“The PFC family of controllers offers advanced compact, computing power for PLC programming and process visualization. Programmable in accordance with IEC 61131-3 600, PFC controllers feature a 600 MHz ARM Cortex A8 processor that offers high speed processing and support of 64 bit variables.”

Source: http://www.wago.us/products/components-for-automation/modular-io-system-series-750-753/programmable-fieldbus-controller/pfc200/index.jsp

Business Recommendation

Because of the use in industrial and safety-critical environments the patch has to be applied as soon as it is available. We explicitly point out to all users in this sector that this device series in the mentioned device series with firmware 02.07.07(10) should not be connected directly to the internet (or even act as gateway) since it is very likely that an attacker can compromise the whole network via such an device.

SEC Consult recommends not to use this product in a production environment until a thorough security review has been performed by security professionals.

Vulnerability Overview / Description

The “plclinux_rt” service accepts different unauthenticated actions.

This vulnerability contains the architectural security problems described by Reid Wightman. The SDK of “plclinux_rt” is written by the same vendor (3S). Therefore, the file commands of “Digital Bond’s 3S CODESYS Tools”, created around 2012 are applicable.
(See https://ics-cert.us-cert.gov/advisories/ICSA-13-011-01)

The CODESYS command-line is protected with login credentials, that’s why the shell of the mentioned tools does not provide root access out of the box. But after some investigation it was clear that there are further functions which are reachable without using the command-line and without any authentication.

These functions in “plclinux_rt” can be triggered by sending the correct TCP payload on the bound port (by default 2455).

Some of the triggerable functions are:

  • Arbitrary file read/write/delete (also covered by “Digital Bond’s Tools”)
  • Step over a function in the currently executed PLC program
  • Cycle step any function in the currently executed PLC program
  • Delete the current variable list of the currently executed PLC program
  • And more functions…

Since SSH is activated by default, an unauthenticated attacker can rewrite “/etc/shadow” and gain root privileges easily via these attack vectors!

1) Critical Improper Authentication / Design Issue

Files can be fetched, written and deleted. Running tasks on the PLC can be restarted, stepped and crashed. An attacker can therefore replace the password hash in the shadow file. A memory corruption (and potential reverse-shell) is also possible via arbitrary TCP packets. There are potentially more commands which can be triggered, but this was not covered by the short security crash test.

Proof Of Concept

As there is no patch available yet, the detailed proof of concept information has been removed from this advisory.

1) Critical Improper Authentication / Design Issue

Two payloads are specified here as proof of concept for file manipulation. Four payloads for live program manipulation are also listed.

File read and delete without any authentication.

Read “/etc/shadow”:

echo '[PoC removed]' | xxd -r -p | nc <PLC-IP> <Port>

Delete “/etc/test”:
echo '[PoC removed]' | xxd -r -p | nc <PLC-IP> <Port>

Runnning PLC tasks could be modified with the following payloads:

Step over function:
echo '[PoC removed]' | xxd -r -p | nc <PLC-IP> <Port>

Cycle step function:
echo '[PoC removed]' | xxd -r -p | nc <PLC-IP> <Port>

Delete variable list (produces stack-trace / denial of service):
echo '[PoC removed]' | xxd -r -p | nc <PLC-IP> <Port>

The actual function is chosen by the 7th byte in the latter payloads. E.g.:

  • 0x31 -> read file
  • 0x36 -> delete file
  • 0x0a -> step over
  • 0x24 -> cycle step
  • 0x15 -> delete variable list

There are much more functions hidden in the “plclinux_rt” binary. This is just an excerpt of a few available functions.

These functions can be examined from “SrvComputeService”. Two pseudo code snippets generated by IDA Pro shows some examples (the functionality can be quickly determined from the corresponding debug message):
[PoC removed from this advisory]

Vulnerable / Tested Versions

WAGO PFC200 Series / Firmware 02.07.07(10)

  • (17 affected devices)
  • 750-8202
  • 750-8202/025-000
  • 750-8202/025-001
  • 750-8202/025-002
  • 750-8202/040-001
  • 750-8203
  • 750-8203/025-000
  • 750-8204
  • 750-8204/025-000
  • 750-8206
  • 750-8206/025-000
  • 750-8206/025-001
  • 750-8207
  • 750-8207/025-000
  • 750-8207/025-001
  • 750-8208
  • 750-8208/025-000

The WAGO contact stated during a call that all PLCs of the 750-88X Series are not vulnerable due to a custom fix from WAGO. The contact also stated that the PLCs of the 750-810X (PFC100) series are also not vulnerable because they have CODESYS 3.5 deployed.

Devices of any other vendor which use the CODESYS 2.3.X/2.4.X runtime are potentially prone to the same vulnerability.

Vendor Contact Timeline

2017-08-02 Contacting vendor through info@wago.com and set the publication date to 2017-09-21.
2017-08-09 Sending a reminder to info@wago.com
2017-08-16 Found a dedicated security contact of WAGO. Contacting this employee via e-mail.
2017-08-17 Contact responds that he will read the redirected e-mail from info@wago.com. Sending e-mail to contact that the message sent to info@wago.com does not contain the actual advisory and that an encrypted channel should be used for transmission.
2017-08-22 Sending reminder to contact and re-transmitting the responsible disclosure policy and all possible ways to transmit the advisory.
2017-08-29 Uploading advisory to WAGO ShareFile.
2017-09-15 Telephone call with WAGO contact. Discussion about the vulnerability. Fix will be available in the next firmware version. Vendor clarified that series 750-88X is not prone to the reported vulnerability. Set the publication date to 2017-09-28.
2017-09-26 Telephone call with vendor. Vendor is working on a fix of the vulnerabilities. Set the publication date to 2017-10-12.
2017-10-06 Sending a reminder to the vendor; No answer.
2017-10-11 Sending a reminder to the vendor. Vendor states that they are working on an update and a timeline for the fix will be provided on 2017-10-13.
2017-10-13 Asked for an update; No answer.
2017-10-17 Informing the vendor that the publication date was set to 2017-10-23.
2017-10-19 Vendor responds that vulnerability in PFC200 series will be patched in firmware version FW12. Set publication date to 2017-10-27 and asked the vendor for a time-line regarding the PFC100 series.
2017-10-20 Vendor responds that PFC100 series is not vulnerable since it does not contain CODESYS 2.4 run-time. Vendor corrected the firmware to version FW11. The patch will be available in January 2018.
2017-10-30 Informed vendor that the advisory will be published on 2017-11-30.
2017-11-30 Advisory release

Solution

Update your WAGO PFC200 Series to firmware version FW11 as soon as it is available. In the meantime, see the workaround section.

Workaround

Close the programming port (TCP 2455) after programming the device.
Alternatively, the CODESYS runtime V3 can be used instead and “plclinux_rt” can be deleted:
https://store.codesys.com/codesys-control-for-pfc200-sl.html

Network access to the device should be restricted.

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

EOF T. Weber / @2017

Contact

Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult? Contact our local offices.
Contact
Back