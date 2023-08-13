The services layer within the PLC runtime is composed of multiple components, each with its own functionality. These components provide various available services (commands) that can be utilized during runtime. One such component, CmpTraceMgr, was found to have several remote code execution flaws.

The services offered by the CmpTraceMgr component include creating and deleting trace packets, starting tracing triggered by TraceTrigger, updating the current value of TraceVariable along with the timestamp, and adding new TraceRecordConfiguration to specific trace packets for a given IEC task/application.

The data transmission within these services relies on tags, which are data structures extracted by the component and sent to the service. For instance, the TraceMgrRecordAdd service activates the relevant service and copies data from specified tags into an output buffer. However, the lack of size validation when copying the tag into the memory buffer creates a vulnerability, allowing for a classic buffer overflow.

Exploiting buffer overflow vulnerabilities enables an attacker to insert their own code into the memory buffer and execute it, leading to arbitrary code execution. In this case, the exploit is delivered through a network protocol, allowing for remote code execution.

To mitigate these vulnerabilities, CODESYS GmbH recommends using online user management as a preventive measure. This not only stops malicious requests and the download of harmful code but also prevents actions that could disrupt a machine or system. Additionally, version V3.5.17.0 onwards enforces online user management by default.

The researchers who discovered these vulnerabilities bypassed authentication by exploiting a previous vulnerability in CODESYS (CVE-2019-9013), which allowed them to intercept plaintext credentials during login and launch a replay attack.

In their research, the researchers had to overcome OS and application-level memory protections, including data execution prevention (DEP) and address space layout randomization (ASLR), to successfully exploit buffer overflows. They showcased their exploits on Schnieder Electric TM251 controller and Wago PFC200 device, both having DEP and ASLR enabled. Additionally, they developed an open-source ICS forensics framework that assists asset owners in identifying affected devices, receiving security recommendations, and detecting suspicious artifacts in PLC metadata and project files.