CODESYS 2.4.7.0 Denial Of Service Exploit

2021-11-01T00:00:00

Description

{"id": "1337DAY-ID-36970", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "CODESYS 2.4.7.0 Denial Of Service Exploit", "description": "", "published": "2021-11-01T00:00:00", "modified": "2021-11-01T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://0day.today/exploit/description/36970", "reporter": "Gerhard Hechenberger", "references": [], "cvelist": ["CVE-2021-34593"], "immutableFields": [], "lastseen": "2021-12-03T01:58:22", "viewCount": 96, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-34593"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165874"]}, {"type": "zdt", "idList": ["1337DAY-ID-37316"]}], "rev": 4}, "score": {"value": 4.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-34593"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165874"]}, {"type": "zdt", "idList": ["1337DAY-ID-37316"]}]}, "exploitation": null, "vulnersScore": 4.1}, "sourceHref": "https://0day.today/exploit/36970", "sourceData": "=======================================================================\n title: CODESYS V2 Denial of Service\n product: CODESYS Runtime Toolkit 32-bit, CODESYS PLCWinNT\n vulnerable version: <V2.4.7.56\n fixed version: V2.4.7.56\n CVE number: CVE-2021-34593\n impact: High\n homepage: https://www.codesys.com/\n found: 2021-05-05\n by: SEC Consult Vulnerability Lab\n This vulnerability was discovered during the research\n cooperation initiative \"OT Cyber Security Lab\" between\n Verbund AG and SEC Consult Group.\n Gerhard Hechenberger (Office Vienna)\n Steffen Robertz (Office Vienna)\n\n An integrated part of SEC Consult, an Atos company\n Europe | Asia | North America\n\n https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\"CODESYS is the leading manufacturer-independent IEC 61131-3 automation\nsoftware for engineering control systems.\"\n\nSource: https://www.codesys.com/\n\n\nBusiness recommendation:\n------------------------\nThe vendor provides patches. The vendors of products using the affected\nsoftware should provide new firmware versions immediately. Users of these\nproducts should update their devices to those fixed firmware versions.\n\n\nVulnerability overview/description:\n-----------------------------------\nThe CODESYS Control runtime system is the core of many PLCs. The runtime is\naccepting TCP connections on a pre-configured port to connect to the\ndevelopment system. By sending requests that define an invalid packet size,\na memory allocation error can be triggered. This leads to a denial of service\ncondition of the remote connectivity of the CODESYS service, which prevents\nclients from connecting to the affected PLC.\n\nCODESYS released a dedicated security note, which corresponds to this advisory:\nhttps://customers.codesys.com/index.php?eID=dumpFile&t=f&f=16877&token=8faab0fc1e069f4edfca5d5aba8146139f67a175\n\n\nProof of concept:\n-----------------\nA detailed proof of concept will be made public after the affected product\nvendors had time to provide new firmware versions.\n\n\nVulnerable / tested versions:\n-----------------------------\n2.4.7.0\n\n\nVendor contact timeline:\n------------------------\n2021-05-25: Contacting 3rd party vendor of a product using the CODESYS runtime\n about this issue.\n2021-08-11: Vendor states that this issue was already fixed in a recent CODESYS\n release.\n2021-08-18: A check on the product's most recent public firmware release\n shows that the vulnerability still exists. The vendor is notified\n again about this outcome.\n2021-09-01: The vendor confirms and ensures the issue is investigated in\n collaboration with CODESYS.\n2021-10-15: CODESYS informs about the assigned CVE-2021-34593 and the planned\n publishing date.\n2021-10-28: Coordinated release.\n\n\nSolution:\n---------\nImmediately update to the patched version of CODESYS.\n\n\nWorkaround:\n-----------\nTo mitigate this issue, access to the CODESYS service port of the affected\ndevices should be limited as far as possible. In the long run, the updated\nfirmware of the product vendor containing a patched CODESYS service must be\ninstalled.\n", "category": "dos / poc", "verified": true, "_state": {"dependencies": 1646089718}}

{"cve": [{"lastseen": "2022-04-12T21:17:26", "description": "In CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56 unauthenticated crafted invalid requests may result in several denial-of-service conditions. Running PLC programs may be stopped, memory may be leaked, or further communication clients may be blocked from accessing the PLC.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-26T10:15:00", "type": "cve", "title": "CVE-2021-34593", "cwe": ["CWE-755"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34593"], "modified": "2022-04-12T18:05:00", "cpe": [], "id": "CVE-2021-34593", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34593", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": []}], "zdt": [{"lastseen": "2022-02-10T00:00:00", "description": "WAGO 750-8xxx PLC versions prior to Firmware 20 Patch 1 (v03.08.08) suffer from denial of service and user enumeration vulnerabilities.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-02-05T00:00:00", "type": "zdt", "title": "WAGO 750-8xxx PLC Denial Of Service / User Enumeration Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34593"], "modified": "2022-02-05T00:00:00", "id": "1337DAY-ID-37316", "href": "https://0day.today/exploit/description/37316", "sourceData": "=======================================================================\n title: Denial of service & User Enumeration\n product: WAGO 750-8xxx PLC\n vulnerable version: < Firmware 20 Patch 1 (v03.08.08)\n fixed version: Firmware 20 Patch 1 (v03.08.08)\n CVE number: CVE-2021-34593\n impact: Medium\n homepage: https://www.wago.com/\n found: 2021-05-05\n by: SEC Consult Vulnerability Lab\n These vulnerabilities were discovered during the research\n cooperation initiative \"OT Cyber Security Lab\" between\n Verbund AG and SEC Consult Group.\n Gerhard Hechenberger (Office Vienna)\n Steffen Robertz (Office Vienna)\n\n An integrated part of SEC Consult, an Atos company\n Europe | Asia | North America\n\n https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\"Optimum performance and availability: Thanks to their ultra-high performance,\nlow power consumption, numerous interfaces, space-saving design and high\nreliability, WAGO\u2019s user-friendly controllers (PLCs) are cost-effective\nautomation solutions. For optimal automation both inside and outside the\ncontrol cabinet: the flexible IP20 remote I/O systems for all applications\nand environments.\"\n\nSource: https://www.wago.com/us/c/controllers-bus-couplers-i-o\n\n\nBusiness recommendation:\n------------------------\nWAGO's customers should upgrade the firmware to the latest version available.\n\nA thorough security review should be performed by security professionals to\nidentify further security issues.\n\n\nVulnerability overview/description:\n-----------------------------------\n1) Denial of Service (Codesys) (CVE-2021-34593)\nThe \"plclinux_rt\" binary is listening on port 2455. It handles communication with\nthe CODESYS suite. By sending requests that define an invalid packet size, a\nmalloc error can be triggered. This leads to a denial of service of the remote\nconnectivity of the codesys service.\n\nThis was also reported to and released together with CODESYS, find the\ncorresponding advisories here:\nhttps://sec-consult.com/vulnerability-lab/advisory/codesys-v2-denial-of-service/\nhttps://customers.codesys.com/index.php?eID=dumpFile&t=f&f=16877&token=8faab0fc1e069f4edfca5d5aba8146139f67a175\n\n\n2) Enumeration of Users\nDue to a time-based side channel vulnerability, it can be derived which\nusernames are valid. This eases the process of brute-forcing valid credentials.\n\n\n3) Outdated Software with Known Vulnerabilities\nThe PLC is using multiple outdated software components with known exploits.\n\n\n4) Insufficient Hardening of Binaries\nMultiple binaries are not compiled with available security features. This will\nease further attacks once a memory corruption vulnerability has been spotted.\n\n\nProof of concept:\n-----------------\n1) Denial of Service (Codesys) (CVE-2021-34593)\nCodesys packet headers are structured like below (pseudo code):\n\nstruct codesys_header {\n uint16_t magic,\n int32_t packet_size\n}\n\nThe magic bytes will be 0xbbbb. By defining a packet size of 0xffffffff, a size\nof 4 GB is defined. The following pseudo code will be used to handle the\nrequest:\n\nallocated_mem = (byte*)SysAllocDataMemory(coedesys_header.packet_size);\nbuffer_info->recv_buf_wout_header = allocated_mem;\nif (allocated_mem == (byte *)0x0) {\n return;\n}\n\nAs 4GB of memory aren't available, malloc will return a NULL pointer, which is\npassed back through the SysAllocDataMemory() function and the return statement\nin the pseudo code will be hit. Thus, the TCPServerTask() function will return.\nThe file descriptor for the client is not cleared in advance. Therefore, the\nsocket stays open indefinitely. A new client will open the next file\ndescriptor. As only 19 clients are allowed to be connected simultaneously, it\nis sufficient to send 19 requests with a wrong packet length to force the PLC\ninto a state where it will refuse further connections to the Codesys service.\n\nThe current implementation is missing the call to SysSockClose() once a buffer\nallocation fails.\n\n\n2) Enumeration of Users\nA time-based side channel vulnerability in the webserver's authentication\nmethod is leaking information about valid usernames. The following code snippet is\nused in the login method:\n\n// get password file and iterate over every line\n$pwFileArray = file($passwordFilename);\nforeach($pwFileArray as $lineNo => $pwFileLine)\n{\n // extract username and user password\n $passwordFileData = explode(':', trim($pwFileLine));\n // if username was found in line, verify given password with user password\n if(isset($passwordFileData[0]) && ($passwordFileData[0] === $username))\n {\n $pwCorrect = password_verify($password, $passwordFileData[1]);\n break;\n }\n}\n\nThe password hash is only calculated if the username is found to be valid. As\nthe PLC has limited computational power, this results in different timings for\nthe response depending on the validity of the username. The following script\ncan be used to find valid users. The parameter 'delay_valid' might need to be\nadjusted to the network speed:\n\n----------------------------\n#!/usr/sbin/python\nimport requests\nimport sys\nimport urllib3\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n\ndelay_valid = 0.2\n\nf = open(sys.argv[1],\"r\");\n\nfor user in f.readlines():\n payload = {\"username\":user.replace('\\n',''),\"password\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"}\n cnt = 0\n for i in range(5):\n try:\n r = requests.post(\"https://<your_PLC_IP>/wbm/php/authentication/login.php\", json=payload, timeout=delay_valid, verify=False)\n except:\n cnt = cnt +1\n if cnt >=3:\n print(\"[*]Valid User: {}\".format(user))\n-----------------------------\n\n\n3) Outdated Software with Known Vulnerabilities\nFollowing outdated and vulnerable components were identified by using the IoT Inspector\nfirmware analysis tool:\n\n- Dsnmasq 2.80: 9 CVEs\n- Bash 4.4.23: 1 CVE\n- GNU glibc 2.30: 12 CVEs\n- Linux Kernel 4.9.146: 663 CVEs\n- OpenSSL 1.0.1: 103 CVEs\n- BusyBox 1.30.1: 2 CVEs\n- Curl 7.72.0: 1 CVE\n- OpenSSH 7.9p1: 4 CVEs\n- PHP 7.3.15: 11 CVEs\n- Wpa_supplicant 2.6: 20 CVEs\n- NET-SNMP 5.8: 1 CVE\n- Libpcap 1.8.1: 5 CVEs\n- Info-ZIP 3.0: 13 CVEs\n\n\n4) Insufficient Hardening of Binaries\nThe following features were extracted with the IoT Inspector:\n- 1.9% of all executables support full RELRO\n- 84.6% support partial RELRO\n- Only 3.6% of all executables make use of stack canaries\n- 58.9% are using ASLR/PIE\n\nThe plclinux_rt binary is an example of a particularly vulnerable binary. It\naccepts user input on port 2455 and is missing all compile-time security\nfeatures. Thus, it's a perfect candidate to successfully exploit any identified\nbuffer overflow.\n\n\nVulnerable / tested versions:\n-----------------------------\nThe following versions have been tested and found to be vulnerable:\n* WAGO 750-8xxx Firmware 18 (v03.06.11)\n* WAGO 750-8xxx Firmware 15 (v03.03.10)\n\n\nVendor contact timeline:\n------------------------\n2021-05-25: Contacting vendor through [email\u00a0protected], asking for\n security contact information. Support informed about their\n PSIRT team. Set preliminary release date to 2021-07-14.\n2021-05-26: Contacting PSIRT through [email\u00a0protected] for encryption options.\n2021-05-27: Received PGP key from PSIRT, transmitted encrypted advisory\n to [email\u00a0protected]\n2021-05-31: Wago PSIRT notifies about decryption problems.\n2021-06-02: Wago PSIRT redirects to VDE CERT for encrypted transmission.\n Transmitted encrypted advisory to [email\u00a0protected] Set release\n date to 2021-07-22. Wago PSIRT resolves decryption problems.\n2021-06-07: Received confirmation from VDE CERT.\n2021-08-11: On request, Wago PSIRT informs about the investigation results\n and mentions that the DoS was already reported and is fixed with\n firmware 18 patch 3.\n2021-08-18: A check on the most recent public firmware release\n v18 (v03.06.19) shows that the vulnerability still exists. Wago\n PSIRT is notified.\n2021-09-01: Wago PSIRT confirms and ensures the issue is investigated.\n2021-09-29: Request status from Wago PSIRT. Set new release date to 2021-11-16.\n2021-09-30: Wago PSIRT states that CODESYS provided a fix which is currently\n tested and to wait for a coordinated release with CODESYS.\n2021-10-15: CODESYS informs about the assigned CVE-2021-34593 and the planned\n publishing date.\n2021-10-18: Requesting information from Wago on an updated firmware version.\n2021-10-19: Wago PSIRT states that they just received the new CODESYS sources\n and it will take some more weeks to create a new firmware release.\n2021-10-28: CODESYS vulnerability CVE-2021-34593 is released in a coordinated\n manner together with CODESYS group without exploit details.\n2021-11-30: Request status from Wago PSIRT on new firmware release.\n2022-01-17: Request status from Wago PSIRT on new firmware release again.\n2022-01-18: Wago PSIRT informs that firmware 20 Patch 1 released on January 10,\n 2022 fixes the remaining issue. The firmware was not yet published\n on their website.\n2022-01-26: Release of security advisory.\n\n\nSolution:\n---------\nImmediately update the PLCs to the fixed firmware version provided by the\nvendor to mitigate CVE-2021-34593.\n\nThe fixed firmware release 20 patch 1 can be obtained from\nhttps://www.wago.com/de/d/6599873\n\nRegarding vulnerability 2)\nAs stated by Wago, there are only two possible default usernames. Therefore,\nthe username enumeration may not gain additional information and this will\nnot be changed.\n\nAdditionally, due to varying release cycles, there is a delay\nin updating components (affecting the other identified vulnerabilities). It is\nplanned to change to a new distribution release with firmware 20.\n", "sourceHref": "https://0day.today/exploit/37316", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "packetstorm": [{"lastseen": "2022-02-10T00:00:00", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2022-02-04T00:00:00", "type": "packetstorm", "title": "WAGO 750-8xxx PLC Denial Of Service / User Enumeration", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34593"], "modified": "2022-02-04T00:00:00", "id": "PACKETSTORM:165874", "href": "https://packetstormsecurity.com/files/165874/WAGO-750-8xxx-PLC-Denial-Of-Service-User-Enumeration.html", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20220126-0 > \n======================================================================= \ntitle: Denial of service & User Enumeration \nproduct: WAGO 750-8xxx PLC \nvulnerable version: < Firmware 20 Patch 1 (v03.08.08) \nfixed version: Firmware 20 Patch 1 (v03.08.08) \nCVE number: CVE-2021-34593 \nimpact: Medium \nhomepage: https://www.wago.com/ \nfound: 2021-05-05 \nby: SEC Consult Vulnerability Lab \nThese vulnerabilities were discovered during the research \ncooperation initiative \"OT Cyber Security Lab\" between \nVerbund AG and SEC Consult Group. \nGerhard Hechenberger (Office Vienna) \nSteffen Robertz (Office Vienna) \n \nAn integrated part of SEC Consult, an Atos company \nEurope | Asia | North America \n \nhttps://www.sec-consult.com \n \n======================================================================= \n \nVendor description: \n------------------- \n\"Optimum performance and availability: Thanks to their ultra-high performance, \nlow power consumption, numerous interfaces, space-saving design and high \nreliability, WAGO\u2019s user-friendly controllers (PLCs) are cost-effective \nautomation solutions. For optimal automation both inside and outside the \ncontrol cabinet: the flexible IP20 remote I/O systems for all applications \nand environments.\" \n \nSource: https://www.wago.com/us/c/controllers-bus-couplers-i-o \n \n \nBusiness recommendation: \n------------------------ \nWAGO's customers should upgrade the firmware to the latest version available. \n \nA thorough security review should be performed by security professionals to \nidentify further security issues. \n \n \nVulnerability overview/description: \n----------------------------------- \n1) Denial of Service (Codesys) (CVE-2021-34593) \nThe \"plclinux_rt\" binary is listening on port 2455. It handles communication with \nthe CODESYS suite. By sending requests that define an invalid packet size, a \nmalloc error can be triggered. This leads to a denial of service of the remote \nconnectivity of the codesys service. \n \nThis was also reported to and released together with CODESYS, find the \ncorresponding advisories here: \nhttps://sec-consult.com/vulnerability-lab/advisory/codesys-v2-denial-of-service/ \nhttps://customers.codesys.com/index.php?eID=dumpFile&t=f&f=16877&token=8faab0fc1e069f4edfca5d5aba8146139f67a175 \n \n \n2) Enumeration of Users \nDue to a time-based side channel vulnerability, it can be derived which \nusernames are valid. This eases the process of brute-forcing valid credentials. \n \n \n3) Outdated Software with Known Vulnerabilities \nThe PLC is using multiple outdated software components with known exploits. \n \n \n4) Insufficient Hardening of Binaries \nMultiple binaries are not compiled with available security features. This will \nease further attacks once a memory corruption vulnerability has been spotted. \n \n \nProof of concept: \n----------------- \n1) Denial of Service (Codesys) (CVE-2021-34593) \nCodesys packet headers are structured like below (pseudo code): \n \nstruct codesys_header { \nuint16_t magic, \nint32_t packet_size \n} \n \nThe magic bytes will be 0xbbbb. By defining a packet size of 0xffffffff, a size \nof 4 GB is defined. The following pseudo code will be used to handle the \nrequest: \n \nallocated_mem = (byte*)SysAllocDataMemory(coedesys_header.packet_size); \nbuffer_info->recv_buf_wout_header = allocated_mem; \nif (allocated_mem == (byte *)0x0) { \nreturn; \n} \n \nAs 4GB of memory aren't available, malloc will return a NULL pointer, which is \npassed back through the SysAllocDataMemory() function and the return statement \nin the pseudo code will be hit. Thus, the TCPServerTask() function will return. \nThe file descriptor for the client is not cleared in advance. Therefore, the \nsocket stays open indefinitely. A new client will open the next file \ndescriptor. As only 19 clients are allowed to be connected simultaneously, it \nis sufficient to send 19 requests with a wrong packet length to force the PLC \ninto a state where it will refuse further connections to the Codesys service. \n \nThe current implementation is missing the call to SysSockClose() once a buffer \nallocation fails. \n \n \n2) Enumeration of Users \nA time-based side channel vulnerability in the webserver's authentication \nmethod is leaking information about valid usernames. The following code snippet is \nused in the login method: \n \n// get password file and iterate over every line \n$pwFileArray = file($passwordFilename); \nforeach($pwFileArray as $lineNo => $pwFileLine) \n{ \n// extract username and user password \n$passwordFileData = explode(':', trim($pwFileLine)); \n// if username was found in line, verify given password with user password \nif(isset($passwordFileData[0]) && ($passwordFileData[0] === $username)) \n{ \n$pwCorrect = password_verify($password, $passwordFileData[1]); \nbreak; \n} \n} \n \nThe password hash is only calculated if the username is found to be valid. As \nthe PLC has limited computational power, this results in different timings for \nthe response depending on the validity of the username. The following script \ncan be used to find valid users. The parameter 'delay_valid' might need to be \nadjusted to the network speed: \n \n---------------------------- \n#!/usr/sbin/python \nimport requests \nimport sys \nimport urllib3 \nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) \n \ndelay_valid = 0.2 \n \nf = open(sys.argv[1],\"r\"); \n \nfor user in f.readlines(): \npayload = {\"username\":user.replace('\\n',''),\"password\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"} \ncnt = 0 \nfor i in range(5): \ntry: \nr = requests.post(\"https://<your_PLC_IP>/wbm/php/authentication/login.php\", json=payload, timeout=delay_valid, verify=False) \nexcept: \ncnt = cnt +1 \nif cnt >=3: \nprint(\"[*]Valid User: {}\".format(user)) \n----------------------------- \n \n \n3) Outdated Software with Known Vulnerabilities \nFollowing outdated and vulnerable components were identified by using the IoT Inspector \nfirmware analysis tool: \n \n- Dsnmasq 2.80: 9 CVEs \n- Bash 4.4.23: 1 CVE \n- GNU glibc 2.30: 12 CVEs \n- Linux Kernel 4.9.146: 663 CVEs \n- OpenSSL 1.0.1: 103 CVEs \n- BusyBox 1.30.1: 2 CVEs \n- Curl 7.72.0: 1 CVE \n- OpenSSH 7.9p1: 4 CVEs \n- PHP 7.3.15: 11 CVEs \n- Wpa_supplicant 2.6: 20 CVEs \n- NET-SNMP 5.8: 1 CVE \n- Libpcap 1.8.1: 5 CVEs \n- Info-ZIP 3.0: 13 CVEs \n \n \n4) Insufficient Hardening of Binaries \nThe following features were extracted with the IoT Inspector: \n- 1.9% of all executables support full RELRO \n- 84.6% support partial RELRO \n- Only 3.6% of all executables make use of stack canaries \n- 58.9% are using ASLR/PIE \n \nThe plclinux_rt binary is an example of a particularly vulnerable binary. It \naccepts user input on port 2455 and is missing all compile-time security \nfeatures. Thus, it's a perfect candidate to successfully exploit any identified \nbuffer overflow. \n \n \nVulnerable / tested versions: \n----------------------------- \nThe following versions have been tested and found to be vulnerable: \n* WAGO 750-8xxx Firmware 18 (v03.06.11) \n* WAGO 750-8xxx Firmware 15 (v03.03.10) \n \n \nVendor contact timeline: \n------------------------ \n2021-05-25: Contacting vendor through support.at@wago.com, asking for \nsecurity contact information. Support informed about their \nPSIRT team. Set preliminary release date to 2021-07-14. \n2021-05-26: Contacting PSIRT through psirt@wago.com for encryption options. \n2021-05-27: Received PGP key from PSIRT, transmitted encrypted advisory \nto psirt@wago.com. \n2021-05-31: Wago PSIRT notifies about decryption problems. \n2021-06-02: Wago PSIRT redirects to VDE CERT for encrypted transmission. \nTransmitted encrypted advisory to info@cert.vde.com. Set release \ndate to 2021-07-22. Wago PSIRT resolves decryption problems. \n2021-06-07: Received confirmation from VDE CERT. \n2021-08-11: On request, Wago PSIRT informs about the investigation results \nand mentions that the DoS was already reported and is fixed with \nfirmware 18 patch 3. \n2021-08-18: A check on the most recent public firmware release \nv18 (v03.06.19) shows that the vulnerability still exists. Wago \nPSIRT is notified. \n2021-09-01: Wago PSIRT confirms and ensures the issue is investigated. \n2021-09-29: Request status from Wago PSIRT. Set new release date to 2021-11-16. \n2021-09-30: Wago PSIRT states that CODESYS provided a fix which is currently \ntested and to wait for a coordinated release with CODESYS. \n2021-10-15: CODESYS informs about the assigned CVE-2021-34593 and the planned \npublishing date. \n2021-10-18: Requesting information from Wago on an updated firmware version. \n2021-10-19: Wago PSIRT states that they just received the new CODESYS sources \nand it will take some more weeks to create a new firmware release. \n2021-10-28: CODESYS vulnerability CVE-2021-34593 is released in a coordinated \nmanner together with CODESYS group without exploit details. \n2021-11-30: Request status from Wago PSIRT on new firmware release. \n2022-01-17: Request status from Wago PSIRT on new firmware release again. \n2022-01-18: Wago PSIRT informs that firmware 20 Patch 1 released on January 10, \n2022 fixes the remaining issue. The firmware was not yet published \non their website. \n2022-01-26: Release of security advisory. \n \n \nSolution: \n--------- \nImmediately update the PLCs to the fixed firmware version provided by the \nvendor to mitigate CVE-2021-34593. \n \nThe fixed firmware release 20 patch 1 can be obtained from \nhttps://www.wago.com/de/d/6599873 \n \nRegarding vulnerability 2) \nAs stated by Wago, there are only two possible default usernames. Therefore, \nthe username enumeration may not gain additional information and this will \nnot be changed. \n \nAdditionally, due to varying release cycles, there is a delay \nin updating components (affecting the other identified vulnerabilities). It is \nplanned to change to a new distribution release with firmware 20. \n \n \nWorkaround: \n----------- \nNone \n \n \nAdvisory URL: \n------------- \nhttps://sec-consult.com/vulnerability-lab/ \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSEC Consult Vulnerability Lab \n \nSEC Consult, an Atos company \nEurope | Asia | North America \n \nAbout SEC Consult Vulnerability Lab \nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an \nAtos company. It ensures the continued knowledge gain of SEC Consult in the \nfield of network and application security to stay ahead of the attacker. The \nSEC Consult Vulnerability Lab supports high-quality penetration testing and \nthe evaluation of new offensive and defensive technologies for our customers. \nHence our customers obtain the most current information about vulnerabilities \nand valid recommendation about the risk profile of new technologies. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nInterested to work with the experts of SEC Consult? \nSend us your application https://sec-consult.com/career/ \n \nInterested in improving your cyber security with the experts of SEC Consult? \nContact our local offices https://sec-consult.com/contact/ \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF Gerhard Hechenberger, Steffen Robertz / @2022 \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/165874/SA-20220126-0.txt", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}

CODESYS 2.4.7.0 Denial Of Service Exploit

Description

Related