TID-309: Device Exploits Engineering Workstation

Threat Description

If the integrated development environment (IDE) or vendor software that is used to manage a device is not sufficiently secure, it could be exploited or crashed when it connects to the device, such as during a file transfer or program upload. A threat actor could use a compromised device, such as a PLC, to exploit a vulnerability within the engineering software/IDE used to manage that device. This could be used to (i) gain unauthorized access to the workstation, (ii) perform a DoS on the workstation, or (iii) propagate to other devices managed by that workstation.

Threat Maturity and Evidence

Proof of Concept
EVIL PLC ATTACK: WEAPONIZING PLCS
Claroty was able to install a malicious program on the PLC that would infect a connected EWS upon a program upload. In some cases, they were able to achieve arbitrary code execution on the EWS.

Denial of Engineering Operations Attacks in Industrial Control Systems
“Specifcally, the attacker can deceive the engineering software during attempts to retrieve the ladder logic program from a programmable logic controller (PLC) by manipulating the ladder logic on the PLC, such that the software is unable to process it while the PLC continues to execute it successfully. This attack vector can provide sufficient cover for the attacker’s actual scenario to play out while the owner tries to understand the problem and reestablish positive operational control.”

CWE

CWE-20: Improper Input Validation
“The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.”

CVE

CVE-2021-22289
“Improper Input Validation vulnerability in the project upload mechanism in B&R Automation Studio version >4.0 may allow an unauthenticated network attacker to execute code.”