Nozomi Networks Labs disclosed on Tuesday four vulnerabilities in Beckhoff Automation’s TwinCAT/BSD operating system that, under the right conditions, could make PLCs (programmable logic controllers) vulnerable to logic tampering or denial-of-service (DoS) attacks, significantly impacting the industrial process being monitored. In fact, the issues detected pose serious cyber threats, such as the ability to execute commands with root privileges on the PLC or the ability to cause operating system-level freezes, requiring a reboot to fix.
“A successful attack requires access to a valid local account on the operating system, but no special privileges are required, meaning that even third-party users or applications with the lowest possible privilege on the PLC could exploit these vulnerabilities if they are not fixed,” the research team wrote in a blog on Tuesday. “After we shared our findings with Beckhoff Automation, they quickly took action to resolve the issue, demonstrating an impressive and remarkable response time of two months. Patches and mitigations for these vulnerabilities are now available on Beckhoff’s official advisories page.”
Nozomi explained that of the four vulnerabilities, CVE-2024-41173 and CVE-2024-41175 affect the IPC-Diagnostics (not included) package included in TwinCAT/BSD up to version 2.0.0.1; CVE-2024-41174 affects the IPC-Diagnostics-www (not included) package included in TwinCAT/BSD up to version 2.1.1.0; and CVE-2024-41176 affects the MDP (not included) package included in TwinCAT/BSD up to version 1.2.7.0.
The article pointed out that TwinCAT/BSD is an operating system developed by Beckhoff Automation that combines the real-time control capabilities of TwinCAT with the robust and versatile features of the Unix-based BSD operating system. TwinCAT, short for “The Windows Control and Automation Technology”, is a software system that turns almost any PC-based system into a real-time controller with multi-PLC system capabilities, with the added benefit of high compatibility with standard IT infrastructure.
Software that can be installed on TwinCAT/BSD includes Beckhoff Device Manager, a comprehensive suite of features for remotely monitoring the operational status, performance and configuration of Beckhoff devices from a central location. All vulnerabilities presented in this blog were identified after analyzing this software.
Nozomi announced that the vulnerabilities at Beckhoff Automation have a significant impact on affected devices. If an attacker gains access to the PLC’s operating system, they could carry out attack scenarios regardless of the permissions obtained.
As for manipulating the PLC logic, Nozomi explained that an attacker with limited credentials could exploit one of the identified vulnerabilities to reset the PLC administrator password without needing the original password. “This would allow them to connect to the PLC with administrator access using standard engineering tools and reprogram the device as they wish, potentially allowing them to subvert the industrial process being monitored,” the post continued.
As for the PLC denial-of-service attack, the post also outlined that an attacker with limited credentials can exploit another vulnerability to render the device unresponsive and unavailable, both remotely over the network and locally via mouse and keyboard access until a reboot is performed. “This can be combined with other attacks on the device: for example, a threat actor can perform the previously mentioned manipulation of the PLC programming to cause the industrial process to be interrupted, and then stage this scenario to prevent access to the device and block any attempt to regain control.”
“One of the easiest ways for an attacker to perform these attack scenarios is to obtain valid credentials for one of the PLC’s operating system accounts (e.g., through sniffing, theft via phishing, cracking, etc.) and then log into the device via SSH,” the researchers said. “Attackers do not need to target heavily protected administrator credentials, but can focus on less privileged ones, such as those used by auditors or third-party contractors to access the device and perform maintenance.”
It’s not uncommon for these types of credentials to have weaker password protection mechanisms, such as being less complex, changing less frequently, or being reused across devices. “However, this strategy requires direct interaction with the device and likely prior internal network access, as PLCs are rarely available on the public internet,” the post continues.
Nozomi also explained that a threat actor could use another way to attack the vulnerable PLC by compromising the supply chain of one of the third-party applications or libraries on a device and then waiting for the poisoned software update to install, similar to what happened with liblzma and SSH servers. “While this is far from trivial (in the case of liblzma, it took the attacker about three years of work to build enough trust to become a co-maintainer), this attack scenario can be performed remotely without requiring a set of credentials or exchanging network packets with a target system,” the post added.
Following the reporting of these vulnerabilities, Beckhoff Automation made corrected versions of the vulnerable packages available. Plant owners can resolve these vulnerabilities by updating the affected software in their TwinCAT/BSD installations to the following versions – IPC-Diagnostics: at least version 2.0.0.1; IPC-Diagnostics-www: at least version 2.1.1.0; and MDP: at least version 1.2.7.0.
If updating these vulnerable packages is not possible, some measures can be taken to reduce the risk of exploitation. This includes minimizing the number of local accounts that have access to the PLC running TwinCAT/BSD – regardless of their permissions – and ensuring that only trusted accounts are allowed and that their passwords are carefully protected. Organizations must log and regularly audit successful logins to the device, and thoroughly review third-party applications and packages before installing or updating them on TwinCAT/BSD.
