TID-306: Sandboxed Environments Escaped
Threat Description
While restricting the execution of external programs within a sandboxed execution environment can mitigate the threat of programs having excessive privileges or memory access, vulnerabilities within that environment could be exploited to escape the sandbox. This would allow the threat actor to escalate their privileges to more broadly manipulate the device’s operation and evade detections.
Threat Maturity and Evidence
Proof of Concept
The Race to Native Code Execution in PLCs
Claroty demonstrated in their research that it was possible to break out of the runtime environment on a PLC and execute code natively in protected areas of memory. “Escaping the sandbox means an attacker would be able to read and write from anywhere on the PLC, and could patch an existing VM opcode in memory with malicious code to root the device.”
CWE
CWE-693: Protection Mechanism Failure
“The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.”
CVE
“A vulnerability has been identified in [Siemens devices]… Affected devices are vulnerable to a memory protection bypass through a specific operation. A remote unauthenticated attacker with network access to port 102/tcp could potentially write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks.”