14 DAY TRIAL // On Friday, Siemens released firmed updates to fix a serious vulnerability in SIMATIC S7-1200 and S7-1500 programmable logic controllers (PLCs). Both could be exploited by a malicious actor to remotely gain access to protected memory areas and achieve unrestricted and undetected code execution, that researchers call the holy grail.
Claroty identified the memory protection bypass vulnerability, listed as CVE-2020-15782 (CVSS score: 8.1), by reverse-engineering the MC7 / MC7+ bytecode language used to execute PLC instructions in the microprocessor. There is no evidence that the flaw has been exploited in the wild.
Siemens stated in an alert that an unauthenticated, remote attacker with network access to TCP port 102 could potentially write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks.
Claroty researcher Tal Keren stated, "Achieving native code execution on an industrial control system such as a programmable logic controller is an end-goal relatively few advanced attackers have achieved".
"These complex systems have numerous in-memory protections that would have to be hurdled in order for an attacker to not only run code of their choice, but also remain undetected".
The new vulnerability not only allows an attacker to execute native code on Siemens S7 controllers but also bypasses detection by the underlying operating system or any diagnostic software by leaving the user sandbox to inject arbitrary data and code directly into protected memory areas.
Claroty, on the other hand, pointed out that the attack required network access to the PLC as well as PLC download privileges. The company claimed that by jailbreaking the PLC's native sandbox, it was able to implant kernel-level malicious software into the operating system that enables remote code execution.
Siemens PLCs have also been hacked in the past
This is not the first case of unauthorized code execution on Siemens PLCs. In 2010, the infamous Stuxnet worm exploited various Windows vulnerabilities to reprogram industrial control systems by modifying code on Siemens PLCs for cyber espionage and covert sabotage.
To reduce the risk, Siemens strongly advises its customers to update to the latest versions. The company also said it is compiling additional updates and advises users to use countermeasures and workarounds for items for which updates are not yet available.