-
We conducted an in-depth research on CODESYS V2 runtime and PLCs using this kernel (ABB AC500 PLCs)
-
We found 11 vulnerabilities in CODESYS V2 runtime;
-
2 of all accepted vulnerabilities graded as critical, 7 as high risk, and 2 as medium risk.
-
These vulnerabilities are simple to exploit, and they can be successfully exploited to cause consequences such as sensitive information leakage, PLCs entering a severe fault state, and arbitrary code execution. In combination with industrial scenarios on field, these vulnerabilities could expose industrial production to stagnation, equipment damage, etc.
-
CodeSys has published an official security advisory that has fixed the mentioned vulnerabilities. However, many vendors who use CODESYS V2 runtime have not yet updated in time, in which case factories using these affected products are still in serious risk.
-
The manufacturers who use CODESYS V2 runtime include, but not limited to, ABB, WAGO, IFM, EPEC, Beckhoff, Kontron, Moeller, Festo, several Russian industrial control manufacturers, and several Chinese industrial control manufacturers.
CoDeSys is a manufacturer-independent IEC 61131-1 programming software from Germany's 3S (SMART, SOFTWARE, SOLUTIONS), the world's most famous soft PLC kernel software developer. CoDeSys supports the IEC 61131 standard programming environment, and supports the standard IL, ST, FBD, LD, CFC, SFC six programming languages. It is a standard software platform supported by many hardware manufacturers and programmable by over 150 OEMs producing automation devices. CoDeSys is the complete development environment for programmable logic control PLCs, which stands for Controlled Developement System.
The CoDeSys framework consists of two parts: the IDE and the Runtime.
The CoDeSys IDE, i.e. the CoDeSys Integrated Development Environment, complies with the IEC 61131 programming specification and can beInstalled on a PC running under Windows. It is a set of evelopment tools used by end users.
CoDeSys Runtime is the hardware platform system. It needs to be done by device manufacturers and 3S companies. 3S needs to evaluate the hardware system designed by the hardware manufacturer and customize the CoDeSys Runtime framework for it. The customer is required to pay 3S for this.
The use of mature solutions allows manufacturers to quickly develop industrial products and grab target markets. It also reduces the development effort and increases the development efficiency, so Codesys solutions are used by many manufacturers and control both discrete and process production on factory floors around the world.
We have selected ABB's AC500 series PLC. The research goals are: firmware analysis and research, private protocol security research. The hardware is PM564-RP-ETH-AC and the firmware version was upgraded to the latest version 2.8.4 through the configuration software Automation Builder 2.4.1.
After determining the research goal, we first set up a test environment and obtained the following results by using nmap to scan PM564.
Fortunately, ABB provides the official firmware download, as shown below.the link is: https://new.abb.com/plc/programmable-logic-controllers-plcs/ac500-eco/cpus
After downloading the firmware, find the firmware corresponding to the module PM564.The files contained in the firmware are as follows: 2_0_2 folder for BootLoader, 2_8_4 folder for firmware, ONB_IO folder for onboardIO part, and RTC_BATT folder for RTCBattery part.
Entering the firmware folder, there is only one file Pm55xE.gza. Opening the file, the content of the file is shown below, and we find the file is specially processed (encryption, compression, character replacement, etc.).
Due to the special processed firmware which can not be directly analyzed, so we decided to desolder the flash chip to extract the firmware of the PLC. As shown in the figure below, the left side is the CPU of the PLC, model MPC852T, which is an MPC860 four-way integrated communication controller based on PowerPC architecture. The flash chip of the PLC is identified on the right, model number M29W320EB, which is a non-flash chip with a capacity of 4M bytes.
Next, we need to desolder the flash chip and use the programmer to read the internal data. After analyzing the contents of the flash, we found there was a byte order problem, we fixed the byte order and analyzed it in binwalk, as shown below. Starting from 0x50010 is the firmware part.
The remaining work is to import the firmware part into IDA for analysis, locate the starting address, and then, based on experience, search for the string to locate the communication processing function The following figure shows the result of the IDA analysis.
Next, we used wireshark to capture the TCP port 1200 communication messages, checked the packet structure, found that both the request and response packets contain a 19-byte head structure starting with 4f 96 05, followed by "aa aa" for the payload.
TCP port 1201 is used for compatibility with lower versions of configuration software, using the standard codesys V2 protocol beginning with "bb bb".
The standard codesys V2 protocol structure is shown below.
Therefore, we can conclude as follows.
- Desoldering the flash chip to obtain the firmware of the PLC, which being analyzed to get the working algorithm of the firmware.
- port 1201 uses the standard Codesys V2 protocol.
- port 1200 uses a private protocol based on a modification of Codesys V2.
- The operating system of the PLC is SMX from Micro Digital, and the version is still sitting at V3.5;
We used our self-developed Fuzz tool: Effective OT fuzzer, to test the security of Codesys V2 protocol, and we found multiple denial of service vulnerabilities in less than 2 hours. Below is a demo picture of the vulnerabilities, the PM564ERR light flashes and goes into critical failure mode, the normal state can be restored by a restart.
We verified on the rest of the PLC devices using CodeSys Runtime and found that they are affected by these vulnerabilities as well, thus confirming that the vulnerabilities are introduced by CodeSys Runtime. Note that the PM564 uses an outdated version of Runtime, 2.4.7.48, see below.
We downloaded the Codesys V2.3 software, set up the corresponding Fuzz test environment, found multiple vulnerabilities in Runtime, and submitted these vulnerabilities to CodeSys. On October 25, 2021 CodeSys officially released a security advisory for these vulnerabilities and a latest version of Runtime, version 2.4.7.56.
Next we wanted to research CodeSys Runtime vulnerabilities in more depth and used the following research methodology, discovering 10+ vulnerabilities in the latest version of CodeSys Runtime 2.4.7.56 and ABB AC500 PLCs.
- Traffic Analysis
- Pseudocode review
- Fuzz Testing
- …………
The following is a technical analysis for CVE-2022-31805 and CVE-2022-32137.
CWE-523: Unprotected Transport of Credentials
The passwords between the communication clients and servers among the affected products are transmitted unprotected. This allows attackers to guess passwords if they are able to sniff the communication.
-
Why need password? Setting a password prevents against unauthorized and sensitive operations and can protect the PLC from malicious attacks. PLCs with password protection require the correct password to be entered when performing run, stop, down load or up load operations.
-
How to setup PLC password? As shown below, use the cmd command to set the PLC password
-
HOW is the password compromised? After setting the password, it is necessary to enter password information to operate the PLC device again, unfortunately when the user enters the correct password, this password is transmitted to the PLC side without any protection, which can be obviously shown in the traffic as below. When this traffic is accessed by a malicious attacker, the password can be easily obtained to control the target PLC device.
CWE-1188: Insecure Default Initialization of Resource
Password protection is not enabled by default and there is no information or prompt to enable password protection at login in case no password is set at the controller.
It is known that CodeSys will compile the POU into local machine code, which is not secure by design per se. Other industrial control vendors such as Siemens design a VM named MC7 to interpret and execute PLC tasks.
Setting a password can mitigate the vulnerability, but password protection is not enabled by default for emulators and real PLC devices. An attacker can create a malicious project, download it to a PLC and run it to execute arbitrary code on the PLC. We successfully exploited this vulnerability in ABB PLC AC500 and CodeSys emulator.
CWE-122: Heap-based Buffer Overflow
A crafted request may cause a heap-based buffer overflow in the affected CODESYS products, resulting in a denial-of-service condition or memory overwrite.
When CodeSys Runtime receives the distorted 0x14 function code data packet, it will enter the processing flow as shown below, first entering the sub_402b85 function as follows:
After accessing this function, there is the following handler, where the memcpy function in the program copies 2 bytes from the received message as the v5 variable, and v5 is used in the for statement as the loop count parameter.
After entering the for loop, there is the sub_4023f1 function, which contains two parameters, and the first parameter is calculated under the control of v5. However, since v5 is unchecked, when v5 is too large, the first parameter a1 will also be too large. Sincea1 is used as the first parameter of memcpy, it being too large will lead to a heap buffer overflow error and crashes due to accessing an illegal address.
Though this security advisory contains only the following products.
- CODESYS Runtime Toolkit 32 bit full prior version V2.4.7.57
- CODESYS PLCWinNT prior version V2.4.7.57
However, considering that CODESYS V2 Runtime is used by many manufacturers, and most of these manufacturers use outdated versions, the vulnerability affects a rather large range, anyone who used a version of CODESYS V2 Runtime older than V2.4.7.57 will be affected.
The products described below may be affected by the vulnerabilities and require security enhancements.
- ABB AC500 controller
- WAGO 750/PFC200 controller
- FESTO FEC&ECCC controller
- EATON XV&XV controller
- Bosh Rexroth IndraMotion/IndraLogic controller
- EXOR eTop400/500/600 controller
- KINCO F122 CAN BUS controller
- KEBA CPxxx controller
- Bachmann M1 controller
- ………………
- locate the affected products behind the security protection devices and perform a defense-in-depth strategy for network security.
- Try using secure VPN networks when remote access is required, and perform adequate access control and auditing.
- Pay attention to vendor's security updates, and upgrade the affected products after testing to keep them secure from threats.
- Minimize the exposure of private communication ports of the affected devices and selectively close the affected ports such as 1200/1201/2455 according to service scenarios.
- recommending vendors who use CODESYS V2 Runtime to investigate themselves in time, and actively to fix and release the patched version of firmware.
- On September 15, 2021 ,Started research on ABB AC series PLC & CODESYS V2 runtime
- On September 29, 2021, 3 vulnerabilities about CODESYS V2 runtime were submitted to codesys On October 25, 2021, codesys published a security advisory and a latest version of CODESYS V2 runtime 2.4.7.56
- On November 4, 2021, 6 vulnerabilities in the latest version were submitted again to the codesys
- On December 8, 2021, codesys officially expect to release the fixes and associated advisories in March/April 2022.
- On January 14, 2022, we submitted 12 vulnerabilities in AC500 PLC to ABB
- On May 24, 2022, codesys officially confirmed the vulnerability and assigned CVE IDs
- On June 23, 2022, codesys published a security advisory anda latest version of CODESYS V2 runtime 2.4.7.57, which fixes multiple vulnerabilities that I submitted.
-
ABB AC500 Denial of Service Demo Video links: https://youtu.be/jY217QJNXEI
-
CODESYS V2 runtime remote code execution demo video links:https://youtu.be/Z2M1Y7XeDGA