Pierluigi Paganini December 05, 2017

A PLC flaw can be a serious threat to production and critical infrastructure and WAGO has 17 models of the PFC200 Series PLC vulnerable to remote exploit.

Programmable Logic Controller (PLC) devices allow for remote automation of robotics, manufacturing, nuclear energy, oil & gas production and transportation and many other industrial tasks.

A PLC vulnerability can be a serious threat to production and critical infrastructure and WAGO has 17 models of the PFC200 Series PLC vulnerable to remote exploit.

Security researchers at SEC Consult found the flaw in version 2.4.7.0 of the CODESYS runtime which is included on PFC200s with firmware version 02.07.07. The CODESYS runtime is commonly included on PLCs to allow for easy programming by users. There are specific versions for different manufacturers and it is constantly being upgraded and improved.

As early as 2012, Reid Wightman,  a security researcher at IOActive, identified vulnerabilities in versions 2.3.x and 2.4.x of the CODESYS runtime which allowed for unauthorized remote administrative access to PLCs running these versions. With this access, the attackers are able to execute privileged operations and perform file changes which equate to reprogramming of the device. The author of the CODESYS runtime, 3S, issued a patch to address these vulnerabilities, but it is up to vendors and users to implement the patch on affected equipment.

Now, security researchers at SEC Consult have found another flaw in the CODESYS runtime allowing for authenticated remote access even on systems running the earlier patch. The CODESYS runtime includes a “plclinux_rt” service which runs with the CODESYS’ root privileges and.

According to SEC Consult researchers, sending specifically crafted packets to this port, attackers are able to trigger the following functions:

• Arbitrary file read/write/delete (also covered by “Digital Bond’s Tools”)
• Step over a function in the currently executed PLC program
• Cycle step any function in the currently executed PLC program
• Delete the current variable list of the currently executed PLC program
• And more functions…

This appears to be sufficient access to interfere with the current PLC programming or introduce new PLC code to perform whatever operations the remote attacker wishes.

WAGO has confirmed that 750-88X Series of the PFC200 PLCs and 750-810X Series of the PFC100 PLCs are not vulnerable to the exploit. They have yet to release a patch for the 17 known vulnerable versions. In the meantime, mitigations include disabling the “plclinux_rt” service and isolating the PLCs from the Internet. Given high availability requirements for PLCs and the expectation that an outage will be required to apply a patch when it comes, it is unlikely that many users will choose to disable the service. Most industrial automation network designs leverage restrictive security zones so many WAGO devices should be isolated.

However a simple Censys search shows many PFC200 devices are directly accessible from the internet (this search does not determine if these are vulnerable PLCs or not.)

The CODESYS runtime is widely deployed by many vendors and numerous vulnerabilities have been identified in this runtime over several years. It is likely that more PLCs will be found to have vulnerabilities. As SEC Consult warns, “Devices of any other vendor which use the CODESYS 2.3.X/2.4.X runtime are potentially prone to the same vulnerability.”

About the author:  Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter.

Pierluigi Paganini

(Security Affairs – WAGO PFC200 Series PLC, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]