Researchers from Claroty, an industrial network security company, recently discovered a serious vulnerability that can be used by uncertified remote attackers to attack Siemens’ programmable logic controllers (PLCs). The vulnerability, numbered CVE-2020-15782, is a high-risk memory protection bypass vulnerability that allows attackers to access TCP port 102 through the network to write and read data in the protected memory area. This remotely exploitable vulnerability has caused researchers to think deeply about the safety of Siemens controllers.
Industrial giant Siemens stated that the security breach affects its SIMATIC S7-1200 and S7-1500 CPUs, and its PLC products can be remotely attacked through the new vulnerability. Siemens has released firmware updates for some of the affected devices and provided workarounds for products that have not yet released patches.
According to Claroty, the vulnerability can bypass the sandbox where engineering code runs and directly access the device memory, thereby obtaining native code execution on a Siemens S7 PLC. The researchers showed how an attacker can bypass the protection and write the shellcode directly into the protected memory. Sandbox escape means that the attacker can read and write from anywhere in the PLC, and can use malicious code to patch the existing VM opcodes in the memory to perform root operations on the device. It is important to emphasize that attacks that exploit this vulnerability will be difficult to detect.
The disclosure of research results is the result of the close relationship between Siemens and Claroty. This not only promotes the cooperation between industrial network security research teams and suppliers in vulnerability disclosure, but also promotes the security of the entire industrial ecosystem. The close cooperation between Siemens and Claroty includes the exchange of technical details, attack techniques, and mitigation suggestions, which all help facilitate the timely release of update patches by Siemens. Siemens and Claroty hope that, given the critical nature of this vulnerability, users should update S7-1200, S7-1500 CPUs, and other affected products as soon as possible.
Vulnerability introduction and affected products
1.1 Vulnerability overview
Number: CVE-2020-15782, improper restrictions on operations within the memory buffer. CVSS v3.1 score: 8.1. The basic information given on the well-known vulnerability website vuldb.com is as follows.
1.2 Affected products
Affected devices are vulnerable to memory protection bypassing and implementing specific operations. A remote unauthenticated attacker who has network access to TCP port 102 may write arbitrary data and code into a protected memory area, or read sensitive data to launch further attacks.
On May 28th, Siemens issued a warning SSA-434534 to notify users of the missing information. Siemens has also released updates for various products including S7-1500 and S7-1200. It is recommended that users update to the latest version to make up for the loopholes. The company stated that it is preparing further updates for products that have not yet been updated. Siemens also provides specific mitigation measures that users can use to reduce risks.
The evolution of Siemens PLC local code execution
The main reason why CVE-2020-15782 has received such attention is that the successful use of this vulnerability will likely increase the research on Siemens controller attacks by industrial network security researchers to a new level, while the limit for successful attacks by attackers will be greater. The less the easier, the reason is that the conditions of the loophole are too superior.
The implementation of native code execution on industrial control systems such as programmable logic controllers (PLCs) is the ultimate goal that advanced and highly capable attackers have achieved. Because these complex systems have many memory protections, attackers must not only be able to run the code of their choice, but also not be discovered, so they must overcome these protection measures.
Early attempts at attacks required physical access and connection to the PLC, or technology targeted at the engineer’s workstation and other links to the PLC, in order to obtain that level of code execution. This time, Claroty used a newly discovered vulnerability to bypass the PLC sandbox in Siemens SIMATIC S7-1200 and S7-1500 PLC cpu and run native code in the memory protection area, which further improved the remote feasibility of this attack idea. sex. Attackers can use this CVE-2020-15782 vulnerability to remotely obtain read-write memory access that is difficult to detect and delete.
From an attacker’s point of view, the ultimate goal of PLC vulnerability exploitation is to achieve unrestricted and undetected code execution on the PLC. This means that the code can be hidden deep inside the PLC without being detected by the operating system or any diagnostic software.
Over the years, in view of the leading position of Siemens PLC in the market, there have been many attempts to implement this capability on Siemens PLC.
First of all, the most famous Stuxnet attack in history (Stuxnet), which obtained user-level code execution on the old SIMATIC S7-300 and S7-400. The code modification itself is completed by operating the local step7 project file. Then, Stuxnet can hide the code changes on the PLC by manipulating the WinCC binary file on the local engineering station. In this way, the malware can not only install itself on the PLC secretly, but also protect itself from WInCC detection when the control software tries to read the infected memory block from the PLC. Of course, through the combination of Microsoft updates to its Windows operating system and Siemens product updates recorded in SSA-110665 and SSA-027884, this problem has long been resolved.
The second classic PLC attack is the Rogue7 attack in 2019 (from the paper Rogue7: Rogue Engineering-Station attacks on S7 Simatic PLCs). The researchers behind “Rogue7” were able to create a rogue engineering station, which can be disguised as a TIA (TIA Portal is a series of seamlessly integrated automation solutions) gateway to the PLC and inject any information that is beneficial to the attacker. By understanding how the password information is exchanged, they can hide the code in the user’s memory, while the TIA engineering station is invisible. Siemens partially solved this problem and provided mitigation measures, see SSA-232418 for details.
Third, also in 2019, Ali Abbasi and Tobias Scharnowski, security research experts at Ruhr University Bochum, Germany, introduced how they obtained code execution on Siemens S7 PLC by physically attacking SIMATIC 1200. They use UART (Universal Asynchronous Receiver/Transmitter), usually called UART. It converts the data to be transmitted between serial communication and parallel communication. As a parallel input signal into a serial output signal UART is usually integrated into the link of other communication interfaces.) Physically connected to dump the firmware, and found a loophole chain, allowing them to hide the code deeper in the system and obtain unrestricted code implement. Siemens solved this problem in SSA-686531.
This time, the claroty research team took this research a big step forward. They demonstrated a new sophisticated remote attack that allows attackers to obtain native code execution on Siemens S7 PLCs. The target of the attack is the depths of the kernel and avoids any detection because it can escape the user sandbox and write shellcode in a protected memory area. The CVE-2020-15782 vulnerability is precisely the key condition that facilitates the escape of the PLC sandbox.
The development history of Siemens PLCs local code execution attack
PLC sandbox escape
The integrity of the PLC is of utmost importance to operators and engineers, and the attacker’s goal is to destroy this integrity through codes hidden on the controller and elevated privileges. The vulnerability CVE-2020-15782 exploited this time bypasses the existing protections in the PLC execution environment, including the sandbox where engineering code usually runs. Claroty was able to use this vulnerability to achieve sandbox escape in order to directly access the memory, and then write and inject shellcode to execute its attack on Siemens 1200/1500 PLC.
In order to execute this attack, network access to the PLC is required. In addition, the attacker also needs PLC download permissions. Since TIA Portal V12, Siemens has provided various mitigation controls to restrict user networks and read and write access to PLCs, especially password protection mechanisms. In addition, starting from V17, Siemens has introduced TLS communication using personal certificates between PLC, HMI and TIA Portal, which greatly reduces the potential attack surface.
3.1 The general structure of PLC (take S7 PLC as an example)
In order to understand Claroty’s specific attack, we must first outline the general structure of a standard PLC. Its CPU is a 16- or 32-bit microprocessor, composed of a memory chip and integrated circuit, which manages control logic, process monitoring and communication. The CPU guides the PLC to execute control instructions, communicate with other devices, perform logic and arithmetic operations, and perform internal diagnostics. It also runs memory routines, constantly checks the PLC to avoid programming errors, and ensures that the memory is not damaged. The logic runs in a sandbox environment (sometimes called a “prison”). The logic transferred to the controller is limited to the specific memory area and API provided by the vendor.
Take Siemens S7 PLC as an example. It runs on ADONIS core and ARM or MIPS processor. There are many programming languages that can be used to configure the controller, including statement list (STL), ladder diagram (LD), functional block diagram (FBD) and structure Control Language (SCL).
Regardless of the input source, the PLC program will be compiled into MC7/MC7+ bytecode, which is a low-level code representation. After being compiled by the engineering station-Siemens TIA portal-the code block (MC7/MC7+ format) is downloaded and installed into the PLC through the Siemens S7Comm/S7Comm+ protocol. Then, the MC7 virtual machine in the PLC will assign the code block and interpret and execute the bytecode.
PLC program execution process
Without reverse engineering capabilities, it is impossible to decode MC7/MC7+ bytecode, because Siemens has not publicly provided such technical documentation. Therefore, research must use reverse engineering to analyze the MC7/MC7+ bytecode language set in order to understand its internal mechanism and find bugs.
3.2S7PLC Sandbox Escape
Because the virtual machine limits the resources that the user program can access, the compiled bytecode can only be used to access the resources allowed by the operating system, and cannot be used directly for hardware operations. This is to restrict users and running code to a set of actions that are considered safe and defined. For example, the operating system will restrict any direct access to protected memory, but will allow the use of any function in the standard library provided by Siemens (such as ADD_I-Add Integer subroutine). In other words, the operating system “locks” user code in a sandbox/container, and access to resources, memory, and functions is limited, which may damage the PLC and/or the entire process.
In order to escape or “jailbreak” the local SIMATIC S7-1200 and S7-1500 sandboxes, Claroty used its memory protection to bypass loopholes. This vulnerability allows attackers to write arbitrary data and code into so-called protected memory areas, or read sensitive data to launch further attacks.
Use CVE-2020-15782 to achieve sandbox escape
Sandbox escape means that the attacker can read and write from anywhere on the PLC, and can use malicious code to patch the existing VM opcode in the memory to implement ROOT permission operations on the device. For example, Claroty can directly inject the ARM/MIPS shellcode into the internal operating system structure, so that when the operating system uses a specific opcode of its choice, the malicious shellcode will be executed to execute the code remotely. Claroty uses this technique to install a kernel-level program that has some features that are completely hidden from the operating system.
Four, prevention suggestions
4.14.1 Mitigation measures
Siemens has identified the following specific solutions and mitigation measures, and strongly recommends that customers adopt them to reduce risks:
S7 communication adopts password protection
Disable the client connection through the ENDIS_PW instruction of the S7-1200 or S7-1500CPU (this will block the remote client connection, even if the client can provide the correct password)
Use Display configuration for additional access protection S7-1500 CPU (this will prevent remote clients from connecting, even if the client can provide the correct password)
Apply “Defense in Depth”, such as the safety measures described on page 12ff of the Industrial Operation Guide, in particular:
1. Factory safety: physical protection of key components;
2. Network security: ensure that the PLC system is not connected to an untrusted network;
3. System integrity: configuration, maintenance and protection of equipment application applicable compensation saturation control and use of built-in safety capabilities.
Update the entire solution to TIA Portal V17 and use personal certificate TLS communication between PLC, HMI and PG/PC
4.2 General safety recommendations
As a general security measure, Siemens strongly recommends the use of appropriate protection mechanisms to access the device network. In order to operate the equipment in a protected IT environment, Siemens recommends environmental configuration in accordance with the Siemens Industrial Security Operation Guide (https://www.siemens.com/cert/operational-guidelines-industrial-security).
Please follow the recommendations in the product manual.More information about Siemens Industrial Security can be found at
Found on https://www.siemens.com/industrialsecurity.
The CVE-2020-15782 vulnerability can bypass the sandbox where engineering code runs and directly access the device’s memory, thereby obtaining native code execution on Siemens S7 PLC. Claroty researchers showed how an attacker can bypass the protection and write the shellcode directly into the protected memory. Sandbox escape means that the attacker can read and write from anywhere in the PLC, and can use malicious code to patch the existing VM opcode in the memory, so as to perform Root operations on the device. It is important to note that if this vulnerability is used by an attacker to initiate a malicious attack, it will be difficult to detect. The disclosure of the results is the result of close cooperation between Siemens and Claroty, which is conducive to promoting the cooperation between the industrial network security industry and industrial equipment suppliers in vulnerability disclosure, and is also conducive to the safety of the entire industrial ecosystem.