EXPLOITED: Siemens PLCs, SIMATIC S7-1200 & S7-1500
February 08, 2023
Story
Hackers are looking to rise to that top echelon of attacks, achieving that single intrusion they can brag about for years. One of these hacks worth bragging about is to obtain undetected access to code executed on a programmable logic controller (PLC). Why? Because these systems have an abundance of in-memory protections needing to be bypassed. If successful, the integrated code would be in the thick of existing code going undetected by operating systems or security software. Previous work has required physical access and connections to the PLC, or techniques that target engineering workstations and other links to the PLC in order to gain that level of code execution.
(Image Credit: Team82)
Team82 identified a critical memory security detour vulnerability, CVE-2020-15782, within Siemens PLCs, the SIMATIC S7-1200 and S7-1500. The common vulnerability and exposure (CVE) disables access protection allowing read and write code everywhere on the PLC or the ability to remotely execute malicious code.
Escaping the Sandbox with CVE-2020-15782
The disclosed vulnerability slides around security within the PLC’s execution ecosystem, as well as a sandbox where code would generally function. Team82 leveraged CVE-2020-15782, evading the sandbox to access memory for writing and infusing shellcode to attack the Siemens 1200/1500 PLCs.
To “jailbreak” the native SIMATIC S7-1200 and S7-1500 sandboxes, Team82 utilized its memory protection bypass vulnerability, allowing the black-hats to input random data to “protected” memory or read critical information for further exploitations of the environment.
The Siemens S7 PLCs are powered by the ADONIS kernel and an ARM or MIPS core. The controller is compatible with many programming languages including Structured Control Language (SCL), Ladder Diagram (LD), Statement List (STL), and Function Block Diagram (FBD).
(Image Credit: Team82)
Claroty had to reverse engineer the bytecode language (Siemens has yet to publicly disclose information on how to decode the MC7/MC7+ bytecode) to learn more about the internal environment and to find areas to exploit.
Team82’s virtual machine hinders data flow in user’s programs with compiled bytecode made available by the operating system and not direct hardware operation. This constrains the user and code to a specific protocol deemed safe*, locking code into the sandbox with reduced access to storage and resources, and crippling functionality, thereby damaging the PLC.
(Image Credit: Team82)
Team82 summarizes, “Escaping the sandbox means an attacker would be able to read and write from anywhere on the PLC, and could patch an existing VM opcode in memory with malicious code to root the device. Claroty, for example, was able to inject ARM or MIPS shellcode directly to an internal operating system structure in such a way that when the operating system uses a specific opcode that we chose, our malicious shellcode would execute, giving us remote code execution. We used this technique to install a kernel-level program with some functionality that is completely hidden to the operating system.”
The Vulnerability
- CVE-2020-15782
- CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
- CVSS v3.1 Score: 8.1
*For example, the operating system will restrict any direct access to protected memory, but will allow the use of any function from the standard library provided by Siemens (e.g. ADD_I - Add Integer subroutine).