A US-CERT advisory was issued today for multiple vulnerabilities discovered by Team82's Mashav Sapir. The vulnerabilities affect Opto 22's SoftPAC Project versions 9.6 and prior.
SoftPAC is a software-based programmable logic controller (PLC) used widely among companies in the power generation and manufacturing sectors. Successful exploitation of the discovered vulnerabilities could enable an adversary to start or stop service, execute malicious code remotely, and/or limit system availability.
However, since the underlying problems related to the discovered vulnerabilities are not unique to SoftPAC, Team82 believes other software-based PLCs may face similar problems.
Standalone, hardware-based PLCs often were not designed with security in mind, but they benefit from the relative obscurity of running on proprietary OT protocols. In contrast, since software-based PLCs run on Windows machines, their potential exposure to cyber threats is far greater. Software-based PLCs present numerous advantages in terms of productivity, flexibility, reporting, testing, and development, but they can also serve as an entry point for attackers wishing to compromise OT environments.
To help prevent their products from being exploited as attack vectors, PLC vendors should sign and verify their firmware files and establish security controls that reject non-signed files. Without this protection in place, an attacker can replace firmware files with malicious files, either as an infection vector or as a means of gaining persistence within an OT environment that has already been compromised.
The SoftPAC PLC runs as a SYSTEM service on Windows machines which is not directly accessible by end users. Rather, SoftPAC vendor Opto 22 provides end users with a different program, SoftPAC Monitor, which allows them to easily control and manage the SoftPAC PLC via another service called SoftPAC Agent.
SoftPAC Monitor allows users to start/stop the PLC service and update the SoftPAC firmware by sending commands to SoftPAC Agent via TCP Port 22000. SoftPAC Agent is only intended to listen to commands from SoftPAC Monitor, but it also listens to 0.0.0.0, a non-routable meta-address used to designate an invalid or unknown targets. Under certain conditions, this could allow attackers to establish external remote connections with SoftPAC Agent (see diagram below).
Since the protocol used by SoftPAC Agent does not require any form of authentication, a remote attacker could potentially mimic SoftPAC Monitor, establish a remote connection, and execute start/stop service or firmware update commands. While an attacker could use start/stop commands to cause costly and potentially dangerous operational changes, the firmware update command is an area of even greater concern.
Through his research, Sapir determined that when SoftPAC Monitor issues firmware update commands, it sends SoftPAC Agent the path of the new firmware zip file, which wraps the executable file. Neither the firmware update zip file sent by SoftPAC Monitor nor the executable file contained within it are signed. As such, an attacker could send a malicious firmware update command via TCP Port 22000, and SoftPAC Agent would readily receive, extract, and install the executable.
Furthermore, the paths within firmware updates sent by SoftPAC Monitor are not sanitized. This results in a 'zip slip' vulnerability during the file's extraction process, allowing an attacker to achieve arbitrary file write with SYSTEM privileges, which can be easily leveraged to execute malicious code.
In a lab environment, Team82 chained the security flaws described above with DLL hijacking tactics to achieve full code execution in SoftPAC Agent with SYSTEM privileges.
After initiating a connection with SoftPAC Agent, Claroty researchers used this connection to check whether SoftPAC PLC was currently running. Next, they sent a stop command to SoftPAC Agent to stop SoftPAC PLC. After stopping the PLC, they sent a firmware update command containing a network path to a malicious zip file. SoftPAC Agent extracted the zip file and dropped the malicious dynamic-link library (DLL) file it contained and placed in the same directory as SoftPAC's executable. After delivering the malicious file, Claroty researchers sent a command to restart SoftPAC PLC, causing the malicious DLL to load, thus executing the code with SYSTEM privileges.
As part of the Claroty Research Team's ongoing efforts to identify security flaws within OT environments, Sapir discovered the following CVEs in SoftPAC:
External control of filename or path (CVE-2020-12042): Paths specified within the zip files used for SoftPAC firmware updates are not sanitized. As such, an attacker with user privileges can gain arbitrary file write access with system access.
Improper verification of cryptographic signature (CVE-2020-12046): SoftPAC does not verify firmware files' signatures during firmware updates, allowing an attacker to replace legitimate firmware files with malicious files.
Improper access control (CVE-2020-10612): SoftPAC Agent communicates with SoftPAC Monitor over network TCP Port 22000, an open port with no restrictions. This allows attackers with network access to control SoftPAC Agent's behavior with remote commands including firmware updates, starting or stopping service, or writing to certain registry values.
Uncontrolled search path element (CVE-2020-10616): Since SoftPAC does not specify the path of multiple .dll files, an attacker can replace them and execute code whenever the service starts.
Improper authorization (CVE-2020-10620): Since its communications do not include any credentials or authentication, attackers with network access can communicate directly with SoftPAC.
The MITRE ATT&CK classifications for attacks utilizing these CVEs include:
Since the vulnerabilities described above only affect SoftPAC Project versions 9.6 and prior, they can be mitigated by updating to the latest version of SoftPAC Project Professional or SoftPAC Project Basic.
If this update is not immediately feasible, CISA recommends the following measures for minimizing the likelihood of these vulnerabilities being exploited within your environment:
Monitor or restrict TCP Port 22000 at the firewall.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
To learn more about how Claroty can help your team discover and mitigate vulnerabilities within your OT environment, request a demo.
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 9.8
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-912 HIDDEN FUNCTIONALITY:
The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function triggers if the 'C' button is pressed at a specific time during the boot process. If an attacker is able to control or impersonate this IP address, they could upload and overwrite files on the device.
Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks.
If asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.
Please note that this device may be re-labeled and sold by resellers.
Read more here: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated….
CVSS v3: 7.5
CWE-295 IMPROPER CERTIFICATE VALIDATION:
The affected product is vulnerable due to failure of the update mechanism to verify the update server's certificate which could allow an attacker to alter network traffic and carry out a machine-in-the-middle attack (MITM). An attacker could modify the server's response and deliver a malicious update to the user.
Medixant recommends users download the v2025.1 or later version of their software.
CVSS v3: 5.7
