ICS/OT: Vulnerabilities Identified in Wago Controllers
Introduction
Forescout Technologies has recently disclosed details regarding vulnerabilities that impact operational technology (OT) products from Wago and Schneider Electric. These vulnerabilities were identified as part of the OT:Icefall research, which has resulted in the discovery of 61 vulnerabilities in more than 100 OT products from 13 different vendors. This report will discuss the specific vulnerabilities and their impact, as well as provide analysis and advice on internet security and the importance of addressing vulnerabilities in critical infrastructure.
Vulnerabilities in Wago Controllers
Forescout Technologies has identified three vulnerabilities in Wago 750 controllers that use the Codesys v2 runtime. These vulnerabilities, tracked as CVE-2023-1619 and CVE-2023-1620, can be exploited by an authenticated attacker to cause a denial-of-service (DoS) condition. The first vulnerability is a result of a poor implementation of protocol parsers, while the second vulnerability is an insufficient session expiration bug. Both vulnerabilities can be exploited by an attacker to crash a device by sending a malformed packet or specific requests after being logged out. In both cases, a manual reboot is required to return the device to its operating state.
Wago 750 automation controllers are widely used in commercial facilities, energy, manufacturing, and transport industries. These controllers support various protocols, including BACnet/IP, CANopen, DeviceNet Ethernet/IP, KNX, LonWorks, Modbus, and PROFIBUS.
Vulnerability in Schneider Electric ION and PowerLogic Product Lines
Forescout Technologies has also shared details about a high-severity vulnerability in Schneider Electric’s ION and PowerLogic product lines. This vulnerability, tracked as CVE-2022-46680, was identified in the first set of OT:Icefall vulnerabilities but was not made public at the request of the vendor.
The vulnerability impacts the power meters’ ION/TCP protocol implementation, which transmits a user ID and password in plaintext with every message. This exposes the credentials to an attacker that can passively intercept the traffic. If an attacker obtains these credentials, they can authenticate to the ION/TCP engineering interface, as well as SSH and HTTP interfaces, to change energy monitor configuration settings and potentially modify firmware. Compromised credentials could also facilitate lateral movement if they are reused for other applications.
It is important to note that these devices should not be accessible from the internet. However, Forescout has identified between 2,000 and 4,000 potentially unique devices that are exposed online. The majority of the identified Wago controllers have the HTTP protocol exposed, while the Schneider Electric meters expose the Telnet protocol. Wago devices are particularly popular in Europe, mainly in Germany, Turkey, and France, while ION meters are popular in North America.
Implications and Recommendations
The disclosure of vulnerabilities in critical infrastructure highlights the urgent need for strong internet security measures. The potential impact of a successful attack on these devices could be significant, leading to disruptions in the operations of commercial facilities, energy networks, manufacturing processes, and transportation systems.
To mitigate the risks associated with these vulnerabilities, it is crucial for organizations to take the following steps:
1. Patch Management
Organizations should promptly apply patches and updates provided by vendors. Incomplete patches identified by Forescout highlight the importance of thoroughly testing and implementing patches to ensure all vulnerabilities are addressed.
2. Secure Configuration
Devices should be properly configured to minimize exposure to potential attacks. This includes ensuring that these devices are not accessible from the internet unless absolutely necessary. Access control mechanisms, such as strong passwords and two-factor authentication, should be implemented to protect against unauthorized access.
3. Network Segmentation
Implementing network segmentation can limit the impact of potential attacks. By separating critical devices from other less secure devices, organizations can contain the effects of an attack and prevent lateral movement.
4. Security Monitoring
Organizations should invest in robust security monitoring systems that can detect and respond to any suspicious activities or anomalies. Continuous monitoring can aid in the early detection of potential attacks or unauthorized access attempts.
Conclusion
The disclosure of vulnerabilities in Wago controllers and Schneider Electric’s ION and PowerLogic product lines highlights the ongoing need to prioritize the security of critical infrastructure. While vendors have generally responded positively to the OT:Icefall research, it is important for organizations to take proactive steps to ensure their systems are protected.
Implementing patch management processes, securing configurations, implementing network segmentation, and investing in security monitoring are all essential measures that can enhance the resilience of critical infrastructure systems. The cybersecurity landscape is continually evolving, and it is essential for organizations to stay vigilant and take proactive measures to protect their systems from emerging threats.
<< photo by Towfiqu barbhuiya >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Exploit Chain in Netgear Routers Exposed: Implications and Security Concerns
- The Rise of Rorschach Ransomware: A Deep Dive into the Latest Cybersecurity Threat
- Zyxel’s Race Against Time: Urgent Security Updates for Critical NAS Device Vulnerability
- Examining the Implications of a Year-Long Cyber Attack: Unveiling the Utilization of Custom Malware RDStealer