Siemens PLCs are Exposed to Attacks by Undocumented Access Feature


Siemens addresses a vulnerability which a skilful attacker can exploit in executing arbitrary code on its programmable logic controller (PLC) SIMATIC S7-1200 by abussing hardware based access mode.

The analyzes of Siemens S7-1200 PLCs, which, according to Siemens, are for discrete and continuous control in industrial environments, including manufacturing, chemical and food-and-beverage industries have been conducted by Ali Abbasi, Tobias Sharnowski and Thorsten Holz of the Ruhr-University Bochum, in Germany.

The researchers analyzed the mechanism of verification of integrity in firmware on the device, which is activated and uses bootloader code stored on separate SPI flash memory. A survey of this bootloader carried out in 2013 by the experts on S7-1200 PLCs found that there is an unknown access mode.

Described by researchers as a special access feature based on hardware, it is usually designed to provide additional diagnostic functionality during development. We also noticed, however, that an attacker with physical access to the PLC could exploit it — by a cold boot attack— by sending a special command via the UART interface during the first half a second of the PLC booting.

This allows an attacker to execute arbitrary code before the PLC firmware is loaded in the bootloader phase. The researchers have created a proof of concept (PoC) exploit that demonstrates how this approach can be used to write data to the flashchip using the features of the PLC firmware update. You can also use the method to dump the firmware.

On the other hand, the researchers pointed out that the PLC holder could also use this special access function in forensic analysis.

“Suppose your PLC collapsed,” Abbasi explained. “In particular, not only the logs produced by the PLC itself, companies can do forensics on the PLC. Now companies[ performing forensic analyzes] can take a snapshot of the PLC memory when the crash occurs to further investigate whether there is a PLC infection.” “Another thing is to make sure that check logic is not changed. For example, you take a snapshot of the memory when you first upload control logic, and then, if you are suspicious of a PLC, restart a PLC, snapshot the respective store and see whether the binary is modified or not by comparing it with the original snapshots, “said the researcher in SecurityWeek.

“And if the attacker exploits the PLC and places the memory shellcode (and does not do a ROP Chain), it is now technically feasible to view the shellcode through rebooting and dumping of the memory.”

Abbasi says that they submitted their results to Siemens in March and this week the company has given customers feedback on how a solution is working. In the meantime, consumers are advised to ensure protection from physical access and to make detailed security recommendations. The industry giant told the researchers that the problem of access mode would be removed from PLCs.

The researchers plan to present their results at the Black Hat Europe conference in London next month.

Abbasi has told that one year before Siemens first published, the vulnerability was actually discovered. The vulnerabilities were found as part of a larger project and the scientists agreed not to disclose it to Siemens immediately because of fear that the manufacturer would patch the project and make it unachievable.

Siemens has assigned the identifier CVE-2019-13945 and a CVSS score of 6.8 to the vulnerability, making this a medium-series issue.

However, Abbasi explained that vulnerability exploitation requires a thorough understanding of the PLC’s operating system. “It’s not that hard to exploit when you know the concept,” he said.

However, he pointed out that it might not be very difficult to create an exploit but it depends on what the attacker wants. For example, trying to write to the flash memory requires a thorough understanding of PLC, its operating system and the bootloader.


Leave a Reply