Serious Vulnerability in Siemens PLC.

A very serious new vulnerability has been discovered that allows code to be executed remotely and without authentication.

The vulnerability is CVE-2020-15782 and affects the SIMATIC S7-1200 and S7-1500 CPUs and could allow bypassing the memory protections of these devices to write or read arbitrary data in restricted memory areas and, with this, develop more sophisticated attacks by having full access to the device’s memory.

Cybersecurity engineers at Claroty have identified this vulnerability and show how an attacker could exploit it, simply by having access to TCP port 102 of the PLC, and write a shellcode directly into the operating system structure and, in this way, give the ability to execute remote code and/or add hidden malicious features.

The following entry in the Claroty blog explains in detail how to bypass the sandbox of these PLCs.

A successful attack of this vulnerability can be very difficult to detect since the PLC itself would execute the malicious actions directly to the process.

As always, the solution involves keeping systems updated and being aware of how industrial networks really work thanks to deep monitoring solutions.