Forescout’s Vedere Labs disclosed the latest findings of OT:ICEFALL, a vulnerability research focused on finding and addressing issues in operational technology (OT) devices. The research has detected three new vulnerabilities affecting OT devices, in continuation to its findings wherein 56 vulnerabilities affecting devices from 10 OT vendors were revealed earlier this year.
OT:ICEFALL by Vedere Labs demonstrates the legacy of “insecure by design” OT, and its implications for certifications and risk management
In its OT:ICEFALL research, Vedere Labs has disclosed three new vulnerabilities affecting OT products from two German vendors: Festo automation controllers and the CODESYS runtime, which is used by hundreds of device manufacturers in different industrial sectors, including Festo. As in the original OT:ICEFALL disclosure, these issues exemplify either an insecure-by-design approach where manufacturers include dangerous functions that can be accessed with no authentication or a subpar implementation of security controls, such as cryptography. The disclosure involved the affected manufacturers and the CERT@VDE, a German security platform for small and medium-sized automation companies.
“It is a well-established fact that OT devices are often riddled with vulnerabilities and have grown to become high targets for bad actors owing to the rapidly expanding threat landscape. OT:ICEFALL is our continued effort at identifying such vulnerabilities, along with creating mitigation measures. We were able to identify 56 vulnerabilities in our research earlier this year, but that was certainly not the end of it. The emergence of three new vulnerabilities further lays stress upon the dire need for robust network monitoring,” said Daniel dos Santos, Head of Security Research, Forescout.
The new vulnerabilities identified in the research are the following:
The CODESYS V3 runtime environment before version 220.127.116.11 uses weak cryptography for download code and boot applications, enabling attackers to trivially decrypt and manipulate protected code by brute forcing session keys.
Festo CPX-CEC-C1 and CPX-CMXX controllers allow unauthenticated, remote access to critical webpage functions. Anyone with network access to a controller can browse to a hidden web page found on the controller’s filesystem, causing the controller to reboot immediately.
The Festo Generic Multicast (FGMC) protocol allows for the unauthenticated reboot of controllers and other sensitive operations on devices supporting this protocol.