ArsTechnica:
by Dan Goodin
Software used to manage equipment in power plants, military environments, and nautical ships contains an undocumented backdoor that could allow malicious hackers to access sensitive systems without authorization.
The CoDeSys software tool, which is used in industrial control systems sold by 261 different manufacturers, contains functionality that allows people to remotely issue powerful system commands, Reid Wightman, a researcher with security firm ioActive, told Ars. The CoDeSys tool will grant a command shell to anyone who knows the proper command syntax and inner workings, leaving systems that are connected to the public Internet open to malicious tampering.
"There is absolutely no authentication needed to perform this privileged command," Wightman said. "Imagine if your laptop had a service that accepted an unauthenticated 'shutdown' command, and if someone sent it your laptop [would] shut off and you [would lose] all your work. Anybody on the network could shut off your laptop without needing your password. That would suck. And that's the case here."
Of the two specific programmable logic controllers (PLCs) Wightman has tested, both allowed him to issue commands that halted the devices' process control. He estimated there are thousands of other models that also ship with CoDeSys installed, and he said most of them are probably vulnerable to the same types of attacks. He declined to identify the specific models he tested except to say that one ran the Linux operating system on Intel-compatible processors and the other used Microsoft's Windows CE running on ARM chips. Wightman said a quick search using the Shodan computer location service showed 117 devices directly connected to the Internet, but he suspects more detailed queries could turn up many more. A blog post that contains additional vulnerability details says code that automates the exploit is expected to be added to the Metasploit software framework used by hackers and security professionals.
MORE
by Dan Goodin
Software used to manage equipment in power plants, military environments, and nautical ships contains an undocumented backdoor that could allow malicious hackers to access sensitive systems without authorization.
The CoDeSys software tool, which is used in industrial control systems sold by 261 different manufacturers, contains functionality that allows people to remotely issue powerful system commands, Reid Wightman, a researcher with security firm ioActive, told Ars. The CoDeSys tool will grant a command shell to anyone who knows the proper command syntax and inner workings, leaving systems that are connected to the public Internet open to malicious tampering.
"There is absolutely no authentication needed to perform this privileged command," Wightman said. "Imagine if your laptop had a service that accepted an unauthenticated 'shutdown' command, and if someone sent it your laptop [would] shut off and you [would lose] all your work. Anybody on the network could shut off your laptop without needing your password. That would suck. And that's the case here."
Of the two specific programmable logic controllers (PLCs) Wightman has tested, both allowed him to issue commands that halted the devices' process control. He estimated there are thousands of other models that also ship with CoDeSys installed, and he said most of them are probably vulnerable to the same types of attacks. He declined to identify the specific models he tested except to say that one ran the Linux operating system on Intel-compatible processors and the other used Microsoft's Windows CE running on ARM chips. Wightman said a quick search using the Shodan computer location service showed 117 devices directly connected to the Internet, but he suspects more detailed queries could turn up many more. A blog post that contains additional vulnerability details says code that automates the exploit is expected to be added to the Metasploit software framework used by hackers and security professionals.
MORE