Background
To facilitate debugging and analysis by developers, a lot of master computer configuration software often comes with a simulator that simulates a real programmable logic controller (PLC) or human-machine interface (HMI) device. Such simulators exchange data with master computer configuration software through TCP/IP and therefore some will listen on a designated port which is sometimes even bound to the IP address 0.0.0.0 and open to other remote users.
As simulators may share the code base with real devices, vulnerabilities in simulators will affect real devices and vice versa, especially vulnerabilities in private protocols such as remote code execution vulnerabilities caused by buffer overflows. If simulators provide a publically available service that contains a high-risk vulnerability, attackers could exploit it to compromise developers’ hosts for further penetration.
Research Method
- Determine the research objects by identifying which ports are open to the Internet and which port services (such as Modbus, FTP, S7Comm, or other key services) are publically available.
- Conduct reverse engineering of essential private services to analyze the format of protocol-based packets and check for vulnerabilities like stack overflows, integer overflows, and hard-coded credentials in risk-prone functions like strcpy, memcpy, and atoi.
- By reference to the packet format derived from the preceding analysis, program a tool for fuzz testing. As the simulator runs on the master computer, the testing process moves faster than on real devices.
Vulnerability Discovery
Through the preceding research and analysis, we have discovered some security issues in ICS device simulators that are from ABB, Schneider, and CODESYS. Following are security vulnerabilities that are commonly seen in these simulators.
Arbitrary File Read and Write Vulnerability (CVE-2019-18995)
ABB HMISimulator is an HMI simulator component in Panel Builder 600 launched by ABB for simulation and debugging. During security analysis, we find that this simulator contains an arbitrary file read and write vulnerability assigned CVE-2019-18995.
ABB HMISimulator exposes the HTTP service to the Internet. By leveraging the traditional web vulnerability discovery approach with reverse engineering means, we find that two vulnerable CGI interfaces are publically accessible through HTTP, allowing attackers to gain read and write access to arbitrary files.
This vulnerability allows attackers to achieve the purpose of remote code execution by writing into key files like essential .exe/.dll files and schedule task files.
Directory Traversal Vulnerability (CNVD-2020-09998)
Vijeo Designer is professional HMI programming software rolled out by Schneider for HMI design and download. According to our analysis, the HMI simulator included in this software is prone to a directory traversal vulnerability (CNVD-2020-09998).
The HMI simulator is prone to an arbitrary directory traversal vulnerability due to the lack of path (strings like ../) verification in its publically available FTP service that is used for HMI upload and download.
Attackers could exploit this vulnerability to read and write arbitrary files in the arbitrary directory, achieving the purpose of remote code execution.
NULL Pointer Dereference Vulnerability (CVE-2019-19789)
PLCWinNT is PLC simulation software that comes with CODESYS, enabling developers to conduct development and debugging in the absence of real devices. Conducting a fuzz testing for private protocols exposed by PLCWinNT, we discover a NULL pointer dereference vulnerability (CVE-2019-19789) in this software.
PLCWinNT exposes port 1200 to the Internet which uses the private CODESYS protocol. This simulator does not properly verify the global pointer variable. If this variable is NULL, this simulator is vulnerable to NULL pointer dereference and will finally crash.
Actually, remote denial of service (DoS) does no much harm to the simulator because all the user needs to do is restart the simulator during development once such issue occurs. The point, however, is that this DoS vulnerability will affect the real PLC that shares the same code base with the simulator, making it possible for attackers to launch remote DoS attacks against the PLC.
Sum-up
ICS device simulation software contains a range of security issues. Different vendors take a very different approach to them — some may fix them within only three months, while others may delay the remediation for as long as one year. There is no doubt that during the mitigation period, these vulnerabilities will pose grave security threats to users. For this reason, we offer the following security suggestions:
- Check which ports are open to the Internet on the simulator you are using. Generally, developers use the simulator locally instead of remotely. Therefore, disable exposed ports to prevent access to them.
- Follow up on official security bulletins to update the master computer development or configuration software in time. If auto update is available, enable this function.
