"Trio of New Vulnerabilities Allow Code Manipulation, Denial of Service (And Worse) For Industrial Controllers"
Vedere Labs researchers revealed three new security flaws that can be exploited to attack automated industrial controllers and widely used software applied to program millions of smart devices in critical infrastructure. The vulnerabilities, tracked as CVE-2022-4048, CVE-2022-3079, and CVE-2022-3270, enable logic manipulation and Denial-of-Service (DoS), mainly affecting products from two major German vendors: Festo automated controllers and CODESYS runtime. Developers use CODESYS to program smart devices. The application is used by hundreds of device manufacturers across multiple industrial sectors. The flaws are part of OT Icefall, a larger research project undertaken by Vedere Labs to increase awareness of security flaws in Operational Technology (OT) systems that control the machinery powering much of critical infrastructure. Earlier this year, the company disclosed nearly 60 of such vulnerabilities impacting over a dozen major industrial products and equipment. According to Daniel Dos Santos, head of security research at Vedere Labs, the three vulnerabilities exploit poor cryptography, a lack of authentication, and insecure engineering. These are among the most common ones discovered as part of the project, and they highlight long-standing core security and supply chain challenges faced in many industrial sectors. An attacker could exploit CODESYS' weak built-in cryptographic protocols to decrypt or manipulate protected code, or exploit authentication failures in Festo controllers to gain access to a previously hidden web application page that allows them to persistently reboot the device, shutting it down. DoS can be especially dangerous for OT equipment and critical infrastructure entities operating around the clock. Vedere Labs has discovered and reported at least three different methods for exploiting the vulnerability and forcing a reboot of Festo Programmable Logic Controllers (PLCs). This article continues to discuss the three security vulnerabilities disclosed by researchers at Vedere Labs and OT being insecure by design.