Microsoft has disclosed 15 high-severity vulnerabilities in a widely used collection of tools used to program operational devices inside industrial facilities. While exploiting the code-execution and denial-of-service vulnerabilities was difficult, it enabled threat actors to inflict great damage on targets.
The vulnerabilities affect the CODESYS V3 software development kit. Developers use the platform-independent tools to develop programmable logic controllers, toaster-sized devices that open and close valves, turn rotors, and control various other physical devices in industrial facilities worldwide.
The SDK allows developers to make PLCs compatible with IEC 611131-3, an international standard that defines programming languages that are safe to use in industrial environments. Examples of devices that use CODESYS V3 include Schneider Electric’s Modicon TM251 and the WAGO PFC200.
Microsoft privately notified Codesys of the vulnerabilities in September, and the company has since released patches that fix the vulnerabilities. It’s likely that by now, many vendors using the SDK have installed updates. Any who haven’t should make it a priority.
Microsoft said exploiting the vulnerabilities required a deep knowledge of Codesys’ proprietary protocol. It also requires attackers clear a tall hurdle in the form of gaining authentication to a vulnerable device. One way to achieve authentication is to exploit an already patched vulnerability tracked as CVE-2019-9013 in the event a PLC hasn’t yet been patched against it.
While the vulnerabilities are difficult to exploit, threat actors have been able to pull off such attacks in the past. Malware tracked as Triton and Trisis have been used in at least two critical facilities. The malware, attributed to the Kremlin, is designed to disable safety systems that detect and remediate unsafe conditions.
Combined with the likelihood that the 15 vulnerabilities are patched in most previously vulnerable production environments, the consequences Microsoft is warning of appear unlikely.