Forescout’sVedere Labs Discloses New Vulnerabilities, Insights on OT Security Design and Patching
Dubai, United Arab Emirates, 22 June 2023: For its final OT:ICEFALLreport, Forescout’sVedere Labs presents three new vulnerabilities and concludes the project after one year of research following the original disclosure.
The OT:ICEFALL research, including 61 vulnerabilities affecting 13 vendors, has yielded three key insights into the current state of OT product security:
-
Vendors still lack a fundamental understanding of secure-by-design.Vedere Labs research shows the continuing prevalence of insecure-by-design practices in OT products and highlights that existing security controls are often broken. It found recurring design issues that demonstrate a lack of understanding of basic security control design, such as plaintext and/or hardcoded credentials, client-side authentication, stateful control on stateless protocols, missing critical steps in authentication, broken algorithms and faulty implementations. In older product lines, some issues persist because of the need for backward compatibility, but some of these problems are also found on newer designs.
-
Vendors often release low-quality patches. Incomplete patches can lead to the discovery of new vulnerabilities, exemplifying how a bad patch increasesrisk rather than decreasing it. This situation has previously been acknowledged in IT but is even more critical in OT, where security patches are harder to apply. Patches are often incomplete due to a lack of variant analysis and piecemeal fixes for vulnerabilities, instead of addressing their root causes.
-
Vendors must improve their security testing procedures. The shallow nature of many vulnerabilities Vedere Labs found in the project casts doubt on the quality of the security testing these products currently undergo. Again, a possible explanation is that in some cases products and protocols must remain backward compatible with legacy designs. Notwithstanding, some vendors have a certified software development lifecycle, which leads Vedere Labs to wonder how the bugs were missed by those vendors in the first place.
Each of the points above reflects the posture of some vendors, but not necessarily every vendor affected by OT:ICEFALL.
Below, Vedere Labs summarize the new vulnerabilities and discuss the consequences of this research for OT security management.
H2: New OT product vulnerabilities
The table below summarizes the new vulnerabilities Vedere Labs are disclosing. CVE-2022-46680 is the last issue found in the original OT:ICEFALL research and was not initially made public at the request of the affected vendor. CVE-2023-1619 and CVE-2023-1620 are new findings on WAGO controllers using the popular CODESYS V2 runtime.
CVE ID | Affected devices | Description | CVSS v3.1 | Potential Impact |
CVE-2022-46680 | Schneider Electric ION and PowerLogic power meters | The ION/TCP protocol transmits a user ID and password in plaintext with every message. This allows an attacker with passive interception capabilities to obtain these credentials and authenticate to the ION/TCP engineering interface as well as SSH and HTTP interfaces to change configuration settings and potentially modify firmware. | 8.8 | Compromise of credentials |
CVE-2023-1619 | WAGO 750 controllers | An authenticated attacker could send a malformed packet to trigger a device crash. After triggering the vulnerability, the affected device must be manually rebooted to return to its operating state. | 4.9 | DoS |
CVE-2023-1620 | WAGO 750 controllers | Due to an insufficient session expiration, an authenticated attacker can crash an affected device by sending specific requests after being logged out. After triggering the vulnerability, the affected device must be manually rebooted to return to its operating state. | 4.9 | DoS |
Remediation and mitigation for CVE-2022-46680 are available through the vendor’s advisory. There was close collaboration between Forescout and Schneider Electric on CVE-2022-46680. The fix developed to secure this legacy protocol designed 30 years ago is a significant achievement and shows Schneider Electric’s commitment to adopt secure-by-design to protect existing customers.
ION and PowerLogic power meters provide power and energy monitoring in sectors such as manufacturing, energy, water and wastewater systems. WAGO 750 is a line of automation controllers with variants supporting several different protocols, such as Modbus, KNX, Ethernet/IP, PROFIBUS, CANopen, BACnet/IP, DeviceNet and LonWorks, that are used in sectors such as commercial facilities, manufacturing, energy and transportation.
Although these devices are not supposed to be exposed online, VedereLabs see between 2,000 and 4,000 potentially unique devices directly accessible when querying Shodan. The most popular exposed protocols are HTTP for WAGO controllers and Telnet for ION meters. WAGO controllers are most popular in Europe, while ION meters are most popular in North America.
On the Forescout Device Cloud – a repository of data from 19 million devices monitored by Forescout appliances – we see around 500 WAGO controllers and 500 ION power meters. Both types of devices are most commonly seen in manufacturing, but they are also popular in utilities and healthcare, in the latter case mainly for building automation.