Researchers at industrial cybersecurity firm Claroty have identified a serious vulnerability that can be exploited by a remote and unauthenticated attacker to hack some of the programmable logic controllers (PLCs) made by Siemens.
The vulnerability is tracked as CVE-2020-15782 and it has been described as a high-severity memory protection bypass issue that allows an attacker with network access to TCP port 102 to write or read data in protected memory areas.
Siemens says the security hole impacts its SIMATIC S7-1200 and S7-1500 CPUs. The German industrial giant has released firmware updates for some of the impacted devices and it has provided workarounds for products for which patches have yet to be released.
According to Claroty, the vulnerability can be exploited to gain native code execution on Siemens S7 PLCs by bypassing the sandbox where engineering code normally runs and gaining direct access to the device’s memory.
The company’s researchers showed how an attacker could bypass protections and write shellcode directly into protected memory. An attack exploiting this vulnerability would be difficult to detect, the researchers claim.
“Escaping the sandbox means an attacker would be able to read and write from anywhere on the PLC, and could patch an existing VM opcode in memory with malicious code to root the device,” Claroty researchers explained in a blog post published on Friday.
“Claroty, for example, was able to inject ARM/MIPS shellcode directly to an internal operating system structure in such a way that when the operating system uses a specific opcode that we chose, our malicious shellcode would execute, giving us remote code execution. We used this technique to install a kernel-level program with some functionality that is completely hidden to the operating system,” they added.
Claroty’s blog post describes the PLC sandbox and the role CVE-2020-15782 could play in an attack.