Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0077 ICSA-13-011-01--3S CODESYS MULTIPLE VULNERABILTIES 15 January 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: CoDeSys Version 2.3.X CoDeSys Version 2.4.X Publisher: 3S-Smart Software Operating System: Network Appliance Impact/Access: Administrator Compromise -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-6069 CVE-2012-6068 Reference: ESB-2012.1038 Original Bulletin: http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-01.pdf Comment: Publicly available exploits exist that target these vulnerabilities. - --------------------------BEGIN INCLUDED TEXT-------------------- ICS-CERT ADVISORY ICSA-13-011-01--3S CODESYS MULTIPLE VULNERABILTIES January 11, 2013 OVERVIEW This advisory is a follow-up to the ICS-CERT Alert titled "ICS-ALERT-12-097-02A--3S- Software CoDeSys Improper Access Control (Update)" that was published October 26, 2012, on athe ICS-CERT Web page. [a] This advisory provides mitigation details for multiple vulnerabilities that affect the 3S-Smart Software Solutions CoDeSys Runtime Toolkit. Independent researcher Reid Wightman of IOActive, formerly of Digital Bond, identified [b] an improper access control and a directory traversal vulnerability in the 3S CoDeSys Runtime application without coordination with ICS-CERT, the vendor, or any other coordinating entity known to ICS-CERT. Exploitation of these vulnerabilities would allow unauthorized access to the system and unauthorized access to the file system. The CoDeSys Runtime Toolkit is used in a number of vendor’s products worldwide. 3S has developed a patch that implements a password for authentication to the system. Reid Wightman has validated that the patch, issued by 3S, mitigates theses vulnerabilities. These vulnerabilities can be exploited remotely. Exploits that target these vulnerabilities are known to be publicly available. This researcher has released proof-of-concept (PoC) code for these vulnerabilities. AFFECTED PRODUCTS The following 3S CoDeSys Runtime versions are affected: • CoDeSys Version 2.3.X • CoDeSys Version 2.4.X Note: CoDeSys Version 3.X is not affected by these vulnerabilities. IMPACT The improper access control vulnerability allows attackers to gain unauthorized administrative access to the device. Once access is obtained, the attacker has the ability to perform privileged operations without a password. Attackers can also exploit the directory traversal vulnerability to read and write to the file system. The 3S CoDeSys Runtime Toolkit is an embedded system that is used in a wide variety of different products manufactured by various vendors. 3S published a list of devices on their Web page that contained their products, but this has since been removed. It is believed that the CoDeSys Runtime Toolkit is used in over 260 individual products. Devices and programmable logic controllers (PLCs) that use the embedded CoDeSys Runtime Toolkit are used in various industries to include critical manufacturing, energy, transportation, and others. Devices containing CoDeSys are impacted. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. BACKGROUND 3S-Smart Software Solutions is a German-based company that maintains offices in Germany and China. 3S develops software that is used in various PLC and industrial controllers. 3S also develops products specifically for visualization applications (HMIs), engineering desktop programming platforms, safety modules, and fieldbus controllers. The affected product, CoDeSys Runtime Toolkit, is embedded third-party software used in various manufacturers’ SCADA systems. According to 3S, CoDeSys is deployed across several sectors including critical manufacturing, building automation, energy, transportation, and others. 3S estimates that these products are used worldwide. VULNERABILITY CHARACTERIZATION VULNERABILITY OVERVIEW IMPROPER ACCESS CONTROL [c] The CoDeSys Runtime Toolkit does not require users to authenticate when connecting to the device. An attacker could obtain administrative privileges on the device by default. This could allow the attacker to compromise the availability, integrity, and confidentiality of the device. CVE-2012-6068 [d] has been assigned to this vulnerability. A CVSS v2 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:C/I:C/A:C). [e] DIRECTORY TRAVERSAL [f] The CoDeSys Runtime Toolkit’s file transfer functionality does not perform input validation, which allows an attacker to access files and directories outside the intended scope. This allows an attacker to upload and download any file on the device. This could allow the attacker to affect the availability, integrity, and confidentiality of the device. CVE-2012-6069 [g] has been assigned to this vulnerability. A CVSS v2 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:C/I:C/A:C). [h] VULNERABILITY DETAILS EXPLOITABILITY These vulnerabilities could be exploited remotely. EXISTENCE OF EXPLOIT Exploits that target these vulnerabilities are publicly available. DIFFICULTY An attacker with a low skill would be able to exploit these vulnerabilities. MITIGATION 3S released a press release concerning these vulnerabilities to their News & Events page, [i] which details the patch released to mitigate the vulnerabilities. The patch released by 3S implements a password for authentication to the device. The patch can be downloaded from the CoDeSys Download Center. [j] 3S also recommends the usage of standard security methods like firewalls or Virtual Private Network (VPN) access to prevent unauthorized access to the controller. CoDeSys version 3.X is not affected by these vulnerabilities. ICS-CERT encourages asset owners to upgrade to version 3 and take additional defensive measures to protect against this and other cybersecurity risks. • Minimize network exposure for all control system devices. Critical devices should not directly face the Internet. • Locate control system networks and remote devices behind firewalls, and isolate them from the business network. • When remote access is required, use secure methods, such as VPNs, recognizing that VPN is only as secure as the connected devices. ICS-CERT also provides a section for control systems security recommended practices on the US-CERT Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. [k] ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures. Additional mitigation guidance and recommended practices are publicly available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01A—Targeted Cyber Intrusion Detection and Mitigation Strategies, [l] that is available for download from the ICS-CERT Web page (www.ics-cert.org). Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT CONTACT For any questions related to this report, please contact ICS-CERT at: Email: ics-cert@hq.dhs.gov Toll Free: 1-877-776-7585 For industrial control systems security information and incident reporting: www.ics-cert.org ICS-CERT continuously strives to improve its products and services. You can help by answering a short series of questions about this product at the following URL: https://forms.us-cert.gov/ncsd-feedback/. DOCUMENT FAQ What is an ICS-CERT Advisory? An ICS-CERT Advisory is intended to provide awareness or solicit feedback from critical infrastructure owners and operators concerning ongoing cyber events or activity with the potential to impact critical infrastructure computing networks. When is vulnerability attribution provided to researchers? Attribution for vulnerability discovery is always provided to the vulnerability reporter unless the reporter notifies ICS-CERT that they wish to remain anonymous. ICS-CERT encourages researchers to coordinate vulnerability details before public release. The public release of vulnerability details prior to the development of proper mitigations may put industrial control systems and the public at avoidable risk. REFERENCES a. ICS-ALERT-12-097-02A--3S-Software CoDeSys Improper Access Control (Update), http://www.us-cert.gov/control systems/pdf/ICS-ALERT-12-097-02A.pdf, Web page last accessed January 11, 2013. b. 3S CoDeSys Disclosure, http://www.digitalbond.com/tools/basecamp/3s-codesys/ , Web page last accessed January 11, 2013. c. Improper Authentication, http://cwe.mitre.org/data/definitions/284.html, CWE-284: Improper Access Control, Web site last accessed January 11, 2013. d. NVD, http://web.nvd nist.gov/view/vuln/detail?vulnId=CVE-2012-6068 , NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory. e. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C), Web site last visited January 11, 2013. f. Relative Path Traversal, http://cwe mitre.org/data/definitions/23 html, CWE-23: Relative Path Traversal, Web site last accessed January 11, 2013. g. NVD, http://web.nvd nist.gov/view/vuln/detail?vulnId=CVE-2012-6069 , NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory. h. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C), Web site last visited January 11, 2013. i. 3S Press Release, http://www.codesys.com/news-events/press-releases/detail/article/sicherheitsluecke-in-codesys-v23-laufzeitsystem.html , Web page last accessed January 11, 2013. j. CoDeSys Download Center, http://www.codesys.com/download html, Web site last accessed January 11, 2013. k. CSSP Recommended Practices, http://www.us-cert.gov/controlsystems/practices/Recommended Practices.html , Web site last accessed January 11, 2013. l. Targeted Cyber Intrusion Detection and Mitigation Strategies, http://www.us-cert.gov/control systems/pdf/ICS-TIP-12-146-01A.pdf, Web site last accessed January 11, 2013. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUPT+ke4yVqjM2NGpAQIQHQ//bXgyAYkD5Suxu46/KKCSohTzsKPo+3R5 /61rXau/Un5ChuXOG7ZRMy7o3t3VUFRrQ5yJDqWW0+hRsqQHvVaFGw7EdKIKl1rO cdHo0HtymTnsBJqJabhxAWrT87YvQbEr5aCKDWRev0wBqD7+l00RosNfNoa8Uxpu FkZZX3S4JuL3eZ87De4bpmBJ1tCQWlyOdtv2IuLe781S1tug67sAVpq5UtPWG5la dwbGdTIlG1oQmXH/BfdgX17pH5GWapMpisCbbTn/4gtZ4WAUOC6FT4zYn/NDkGZr xRm6JaZkhVNOC9P65Uqvo7m5Q4nHD6qtos+n5suCTJ63FdD6W9+E0F5Ct8h0I9Ag Sf8PZxCz1dQZdwPCfLOkCx+GB9IUibjE8h44oqA+EsujMOL8cf4d12iGQJdSOj5Y DUMBuVqeroBkb9JBoI0bEOf5Cs7ToRJ180r0qPQ9ZLEfufMMbxxeIx4EjLrS3YuN iC2MIesdIlFaMOYX8v0/N38rhPgmuTmtWzA/gXEdeUCJJ/IgctROpEYWeSLHpmHi W1NJx53OetNTzW+SUMO/PF0mN8spzmwueWwt1Gnf6hGMaW3AKwht+Go2tn1ZUbjL S8XK/yPhLwhGXLeSWWVeEiAAPrr61RPzjivNiS1tMwqKx5Y5eNhXM3G0YXWIzvFM oZZC+j66YBI= =RnTI -----END PGP SIGNATURE-----