Researchers have discovered a design flaw lets anyone carry out commands without authentication on software called CoDeSys, which is widely used in industrial controls.
CoDeSys is an IEC 61131-3 software suite from 3S-Smart Software Solutions GmbH, Germany, that runs ladder-logic operations. It is used by over 260 manufacturers to run ladder-logic programs on PLCs, drive controllers, and other industrial controls. The vulnerability was uncovered by the company Digital Bond, Sunrise, Fla., during its Project Basecamp, a research effort to demonstrate the fragility of industrial control systems.
Researchers at Digital Bond used a Wago IPC 758-870 Model PLC as their test unit, but say all systems running CoDeSys PLC software seem affected. The Wago PLC runs embedded Linux on an x86 central-processing unit, but other operating systems such as Nucleus RTOS and Windows CE are also affected. Given the way CoDeSys operates within the OS, manufacturers often run the ladder logic with elevated root or administrator privileges. Or they use an OS that does not have user privilege controls.
One critical point is that the CoDeSys runtime offers a transmission-control-protocol listener service. The listener service typically runs on port 1200, although ports 1201 and 2455 were used on other controllers. Services provided by this listener include a command-line interface where instructions may be sent directly to the ladder-logic runtime service and a file-transfer service that permits downloading and uploading logic files.
Unfortunately, CoDeSys software executes this connection without user authentication. Anyone who knows how can connect through the CoDeSys software to execute commands and transfer files. For example, they can stop and start the running ladder logic, wipe the PLC memory, and list files and directories. As the runtime operates with high-level privileges, all subdirectories and files are accessible, including critical system files such as /etc/passwd and /etc/shadow in Linux and the Window’s registry in CE.
Right now, the only sure way of securing this or any industrial system is to keep it off any network. However, IT staff can make access more secure by placing systems on private networks that can only be entered through specific machines that carry out user authentication.