India, December 2022: Forescout’s Vedere Labs today disclosed the latest findings of OT: ICEFALL, vulnerability research focused on finding and addressing issues in operational technology (OT) devices. The research has detected three new vulnerabilities affecting OT devices, in continuation to its findings wherein 56 vulnerabilities affecting devices from 10 OT vendors were revealed earlier this year.
In its OT: ICEFALL research, Vedere Labs has disclosed three new vulnerabilities affecting OT products from two German vendors: Festo automation controllers and the CODESYS runtime, which is used by hundreds of device manufacturers in different industrial sectors, including Festo. As in the original OT: ICEFALL disclosure, these issues exemplify either an insecure-by-design approach where manufacturers include dangerous functions that can be accessed with no authentication or a subpar implementation of security controls, such as cryptography. The disclosure involved the affected manufacturers and the CERT@VDE, a German security platform for small and medium-sized automation companies.
“It is a well-established fact that OT devices are often riddled with vulnerabilities and have grown to become high targets for bad actors owing to the rapidly expanding threat landscape. OT: ICEFALL is our continued effort at identifying such vulnerabilities, along with creating mitigation measures. We were able to identify 56 vulnerabilities in our research earlier this year, but that was certainly not the end of it. The emergence of three new vulnerabilities further lays stress upon the dire need for robust network monitoring,” said Daniel dos Santos, Head of Security Research, at Forescout.
The new vulnerabilities identified in the research are the following:
The CODESYS V3 runtime environment before version 220.127.116.11 uses weak cryptography for downloading code and boot applications, enabling attackers to trivially decrypt and manipulate protected code by brute forcing session keys.
Festo CPX-CEC-C1 and CPX-CMXX controllers allow unauthenticated, remote access to critical webpage functions. Anyone with network access to a controller can browse to a hidden web page found on the controller’s filesystem, causing the controller to reboot immediately.
The Festo Generic Multicast (FGMC) protocol allows for the unauthenticated reboot of controllers and other sensitive operations on devices supporting this protocol.
Distribution of CODESYS and Festo devices
The official website of CODESYS describes it as the leading IEC 61131-3 automation suite, running on several million devices of approximately 1,000 models from over 500 manufacturers. Examples of manufacturers using the technology on their products can be found on this link. These devices are used in industries such as manufacturing, energy automation, and building automation. Although these devices are typically not supposed to be exposed online, we see almost 3,000 devices running CODESYS when querying the Shodan search engine (“port:2455 operating system”).
Festo CPX is an automation platform for electric and pneumatic systems. CPX-CEC-C1 and CPX-CMXX controllers run CODESYS V2, while newer versions run CODESYS V3 and provide capabilities for Industry 4.0, such as remote I/O and cloud connection. On the Forescout Device Cloud – a repository of data from 19 million devices monitored by Forescout appliances – we see close to 1,000 Festo controllers, used overwhelmingly within manufacturing.