TID-304: Manipulate Runtime Environment

Threat Description

A threat actor can manipulate the runtime environments on a device to maintain persistence on the device and overwrite various functionalities, such as protocol handlers. If the application program (which the threat actor can deploy on the device through a program download) has access to memory where the runtime environment and libraries are located, they could overwrite these libraries with malicious code. This is especially risky because runtime environments often must allow the dynamic addition of modules/functions to support user-specific customization or configuration of devices, which may require that the runtime support writeable memory.

NOTE: This differs from TID-305 because this threat has a focus on code being used to manipulate the device runtime environment itself. TID-305 on the other hand pertains to a malicious program itself being used to perform device actions.

Threat Maturity and Evidence

Proof of Concept
Security Issues In Compiled PLC Logic (CoDeSys & ProConOs)
At S4x23, Reid Wightman demonstrated that if memory space is shared between program runtime, program logic, and other device functions such as network handling, it is possible to create malicious programs that can manipulate a device’s runtime environment from the application program.

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
“The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.”

CVE

CODESYS Security Advisory 2023-04 (CVE-2022-4046, CVE-2023-28355)
“The CODESYS Control V3 runtime system does not restrict the memory accesses of the PLC application code to the PLC application data and does not sufficiently check the integrity of the application code by default. This could be exploited by authenticated PLC programmers.”