Vulnerabilities in Beckhoff Automation TwinCAT/BSD OS put PLCs at risk of logic tampering, DoS attacks

Vulnerabilities in Beckhoff Automation TwinCAT/BSD OS put PLCs at risk of logic tampering, DoS attacks

Nozomi Networks Labs disclosed Tuesday four vulnerabilities in the Beckhoff Automation TwinCAT/BSD operating system that, in the right conditions, could leave PLCs (programmable logic controllers) vulnerable to logic tampering or Denial-of-Service (DoS) attacks, significantly impacting the supervised industrial process. As a matter of fact, the issues detected present impactful cyber threats, such as the potential to execute commands with root privileges on the PLC, or the possibility to induce OS-level freezes, necessitating a power cycle to resolve.

“A successful attack requires obtaining access to a valid local account on the operating system. However, no specific privileges are necessary, meaning that even users or third-party applications with the lowest possible allowance on the PLC could exploit these flaws if left unaddressed,” the research team wrote in a Tuesday blog. “Upon sharing our findings with Beckhoff Automation, they took fast action to resolve the issue, demonstrating an impressive and remarkable 2-month response time. Patches and mitigations for these vulnerabilities are now available on Beckhoff’s official Advisories page.”

Nozomi detailed that of the four vulnerabilities, CVE-2024-41173 and CVE-2024-41175 affect the IPC-Diagnostics package included in TwinCAT/BSD up to version 2.0.0.1 (not included); CVE-2024-41174 affects the IPC-Diagnostics-www package included in TwinCAT/BSD up to version 2.1.1.0 (not included); and CVE-2024-41176 affects the MDP package included in TwinCAT/BSD up to version 1.2.7.0 (not included).

The post pointed out that TwinCAT/BSD is an operating system developed by Beckhoff Automation, designed to combine the real-time control capabilities of TwinCAT with the robust and versatile features of the BSD Unix-based operating system. TwinCAT, short for ‘The Windows Control and Automation Technology,’ is a software system that transforms almost any PC-based system into a real-time controller with multi-PLC system capabilities, with the added benefit of being highly compatible with standard IT infrastructure.

Among the software that can be installed on TwinCAT/BSD is Beckhoff Device Manager, a comprehensive suite of features for overseeing the operational status, performance, and configuration of Beckhoff devices remotely from a centralized location. All security flaws presented in this blog were identified after analyzing this software.

Nozomi revealed that the Beckhoff Automation vulnerabilities have notable repercussions on affected devices. Should an attacker achieve some kind of access to the operating system of the PLC, regardless of the privilege obtained, they would be able to enact attack scenarios. 

When it comes to tampering with the PLC logic, Nozomi detailed that an attacker with limited credentials could exploit one of the identified vulnerabilities to reset the PLC administrator’s password without needing the original one. “This would allow them to connect to the PLC with administrative access via standard engineering tools and to reprogram the device as desired, potentially subverting the supervised industrial process,” the post added.

Also, when it comes to PLC denial-of-service, the post disclosed that an attacker with limited credentials may exploit another vulnerability to make the device unresponsive and unavailable, both remotely from the network as well as locally through mouse and keyboard access, until a power reset is performed. “This may be combined with other attacks against the device: for instance, a threat actor may perform the previously cited manipulation of the PLC programming to initiate the disruption of the industrial process, then enact this scenario to prevent access to the device, blocking any attempt to regain control.”

“One of the simplest methods for an adversary to carry out these attack scenarios is by acquiring (e.g., sniffing, stealing via phishing, cracking, etc.) valid credentials for one of the PLC’s operating system accounts, and then logging in to the device via SSH,” according to the researchers. “Attackers do not need to target heavily protected administrative credentials, but may focus on lesser-privileged ones, like those used by auditors or external contractors to access the device and perform maintenance activities.” 

It’s not so uncommon for these kinds of credentials to have weaker password protections, such as less complexity, infrequent rotation, or reuse across devices. “However, this strategy requires direct interaction with the device, likely necessitating prior internal network access, as PLCs are rarely exposed on the public internet,” the post added.

Nozomi also detailed that another route a threat actor may leverage to attack the vulnerable PLC could be by compromising the supply chain of one of the third-party applications or libraries on a device and then waiting for the poisoned software update to be installed, in a similar fashion to what happened with liblzma and SSH servers. “Although far from trivial (in the case of liblzma, it took the attacker roughly three years of work to establish enough trust to become a co-maintainer), this attack scenario may be perpetrated remotely, without the need to acquire a set of credentials or be able to exchange network packets with a target system,” the post added. 

After reporting these vulnerabilities, Beckhoff Automation provided fixed versions of the vulnerable packages. Asset owners can address these vulnerabilities by updating the affected software in their TwinCAT/BSD installations to the following versions – IPC-Diagnostics: at least version 2.0.0.1; IPC-Diagnostics-www: at least version 2.1.1.0; and MDP: at least version 1.2.7.0.

If updating these vulnerable packages is not feasible, a couple of mitigations can be applied to reduce the chances of exploitation. These include keeping the number of local accounts entitled to access the PLC running TwinCAT/BSD to the minimum – regardless of their privilege, and ensuring that only trusted ones are allowed and that their passwords are thoroughly protected. Organizations must log and regularly audit successful logins to the device; and thoroughly review third-party applications and packages before installing them on TwinCAT/BSD or updating them.

link