ICS-SCADA

CVE-2020-15782 flaw in Siemens PLCs allows remote hack

Industrial cybersecurity firm Claroty discovered a new flaw in Siemens PLCs that can be exploited by a remote and unauthenticated attacker to hack the devices.

Researchers at industrial cybersecurity firm Claroty have discovered a high-severity vulnerability in Siemens PLCs, tracked as CVE-2020-15782, that could be exploited by remote and unauthenticated attackers to bypass memory protection.

The vulnerability could allow an attacker with network access to TCP port 102 to write or read data in protected memory areas.

The flaw impacts SIMATIC S7-1200 and S7-1500 CPUs, the vendor has already released firmware updates for the impacted systems. Siemens also provided workarounds for those products for which the vendor has yet to address the flaw.

“SIMATIC S7-1200 and S7-1500 CPU products contain a memory protection bypass vulnerability that could allow an attacker to write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks.” reads the advisory published by the German vendor. “Siemens has released updates for several affected products and strongly recommends to update to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available.”

The flaw could allow attackers to bypass the sandbox to run native code in protected areas of memory of Siemens S7 PLCs.

“Previous work has required physical access and connections to the PLC, or techniques that target engineering workstations and other links to the PLC in order to gain that level of code execution. Claroty, meanwhile, has taken those efforts a step further using a newly discovered vulnerability that bypasses the PLC sandbox within Siemens’ SIMATIC S7-1200 and S7-1500 PLC CPUs to run native code in protected areas of memory.” reads the post published by Claroty. “An attacker could use this vulnerability, CVE-2020-15782, to remotely obtain read-write memory access that would be difficult to detect and remove.”

The company’s researchers showed how an attacker could bypass protections and write shellcode directly into protected memory. An attack exploiting this vulnerability would be difficult to detect, the researchers claim.

An attacker that is able to escape the sandbox would be able to remotely read and write data on the PLC, and could potentially patch an existing VM opcode in memory with malicious code to achieve root permissions on the device.

“Claroty, for example, was able to inject ARM/MIPS shellcode directly to an internal operating system structure in such a way that when the operating system uses a specific opcode that we chose, our malicious shellcode would execute, giving us remote code execution.” concludes Claroty. “We used this technique to install a kernel-level program with some functionality that is completely hidden to the operating system,” they added.

Claroty’s blog post describes the PLC sandbox and the role CVE-2020-15782 could play in an attack.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Siemens PLCs)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Silent Ransom Group targeting law firms, the FBI warns

FBI warns Silent Ransom Group has targeted U.S. law firms for 2 years using callback…

5 hours ago

Leader of Qakbot cybercrime network indicted in U.S. crackdown

The U.S. indicted Russian Rustam Gallyamov for leading the Qakbot botnet, which infected 700K+ devices…

10 hours ago

Operation RapTor led to the arrest of 270 dark web vendors and buyers

Law enforcement operation codenamed 'Operation RapTor' led to the arrest of 270 dark web vendors…

1 day ago

Chinese threat actors exploited Trimble Cityworks flaw to breach U.S. local government networks

A Chinese threat actor, tracked as UAT-6382, exploited a patched Trimble Cityworks flaw to deploy…

2 days ago

U.S. CISA adds a Samsung MagicINFO 9 Server flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Samsung MagicINFO 9 Server vulnerability to its…

2 days ago

New Signal update stops Windows from capturing user chats

Signal implements new screen security on Windows 11, blocking screenshots by default to protect user…

2 days ago