Festo Not Fixing Controller Holes

Monday, April 28, 2014 @ 10:04 AM gHale


Festo decided not to resolve the vulnerabilities in its CECX-X-C1 and CECX-X-M1 controllers because of compatibility reasons with existing engineering tools, according to a report on ICS-CERT.

This places critical infrastructure asset owners using this product at risk, discovered by K. Reid Wightman of IOActive Inc. ICS-CERT issued an advisory to alert critical infrastructure asset owners of the risk of using this equipment and for them to increase compensating measures if possible. These vulnerabilities are remotely exploitable and public exploit code is available.

RELATED STORIES
Siemens Fixes SIMATIC Family Holes
Certec Fixes Heartbleed Vulnerability
Siemens Fixes SINEMA Vulnerabilities
Progea Fixes Movicon SCADA App

The following Festo products suffer from the issue:
• CECX-X-C1 Modular Master Controller with CoDeSys
• CECX-X-M1 Modular Controller with CoDeSys and SoftMotion.

The vulnerabilities in the Festo CECX-X-M1 Modular Controller are:
• An FTP backdoor
• Two unauthenticated ports (Port 4000/TCP debug service port and Port 4001/TCP log service port) that allow modification of memory and logging
• All CoDeSys commands execute without authentication because of two known vulnerabilities in the CoDeSys V2.3 runtime version

This product sees use across industries as a programmable logic controller with inclusion of a multiaxis controller for automated assembly and automated manufacturing. Identified customers are in solar cell manufacturing, automobile assembly, general assembly and parts control, and airframe manufacturing where tolerances are particularly critical to end product operations. An attacker could change the tolerances of assembly and remove record of the change.

According to the Festo product web page, other products are using newer versions of CoDeSys software and may not be vulnerable to the CoDeSys vulnerability, but the researcher did not evaluate those products.

Festo is a German industrial control and automation company based in Esslingen am Neckar, Germany. Its U.S. headquarters are in Hauppauge, NY.

The affected product, CECX-X-M1 controller, is a programmable logic controller with inclusion of a multi-axis controller primarily used for factory assembly processes. According to Festo, CECX-X-M1 controllers work across several sectors including critical manufacturing. Festo has subsidiaries and resellers in 176 countries.

The Festo CECX-X-M1 controller has an FTP backdoor, allowing unauthenticated access. An attack could allow the attacker to cause a crash or to execute arbitrary code.

CVE-2014-0760 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

Two unauthenticated ports (Port 4000/TCP debug service port and Port 4001/TCP log service port) could allow modification of memory and logging. This could allow an attacker to change configuration settings and remove log records of system change/error, hiding malicious activity.

CVE-2014-0769 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

TheCoDeSys v2.3 runtime module used by the Festo CECX-X-M1 is vulnerable (ICSA-13-011-01 3S CoDeSys Multiple Vulnerabilities). By not updating this runtime module to newer, nonvulnerable versions, any CoDeSys command sent to this module ends up accepted without authentication.

CVE-2012-6068 was the case number assigned to this vulnerability in January 2013, which had a CVSS v2 base score of 10.0.

TheCoDeSys v2.3 runtime module used by the Festo CECX-X-M1 is vulnerable (ICSA-13-011-01 3S CoDeSys Multiple Vulnerabilities). By not updating this runtime module to newer, nonvulnerable versions, any CoDeSys command sent to this module ends up accepted without authentication.

The CoDeSys Runtime Toolkit’s file transfer functionality does not perform input validation, which allows an attacker to access files and directories outside the intended scope. This may allow an attacker to upload and download any file on the device. This could allow the attacker to affect the availability, integrity, and confidentiality of the device.

CVE-2012-6069 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

An attacker with a low skill would be able to exploit these vulnerabilities.

Festo has decided not to resolve these vulnerabilities, placing critical infrastructure asset owners using this product at risk. Users should increase compensating security measures if possible.

Some of these compensating measures can be:
• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
• When remote access is a requirement, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should end up updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
• Investigate the practicality of configuring and deploying an intrusion detection system (IDS) to log and monitor the control system network, as well as adjacent networks.
• Configure, activate, and test existing defenses, such as port security and traffic logging, among other defensive strategies in the recommended practices document listed below.



Leave a Reply

You must be logged in to post a comment.