A US-CERT advisory was issued today for multiple vulnerabilities discovered by Claroty researcher Mashav Sapir. The vulnerabilities affect Opto 22’s SoftPAC Project versions 9.6 and prior.
SoftPAC is a software-based programmable logic controller (PLC) used widely among companies in the power generation and manufacturing sectors. Successful exploitation of the discovered vulnerabilities could enable an adversary to start or stop service, execute malicious code remotely, and/or limit system availability.
However, since the underlying problems related to the discovered vulnerabilities are not unique to SoftPAC, the Claroty Research Team believes other software-based PLCs may face similar problems.
Standalone, hardware-based PLCs often were not designed with security in mind, but they benefit from the relative obscurity of running on proprietary OT protocols. In contrast, since software-based PLCs run on Windows machines, their potential exposure to cyber threats is far greater. Software-based PLCs present numerous advantages in terms of productivity, flexibility, reporting, testing, and development, but they can also serve as an entry point for attackers wishing to compromise OT environments.
To help prevent their products from being exploited as attack vectors, PLC vendors should sign and verify their firmware files and establish security controls that reject non-signed files. Without this protection in place, an attacker can replace firmware files with malicious files, either as an infection vector or as a means of gaining persistence within an OT environment that has already been compromised.
The SoftPAC PLC runs as a SYSTEM service on Windows machines which is not directly accessible by end users. Rather, SoftPAC vendor Opto 22 provides end users with a different program, SoftPAC Monitor, which allows them to easily control and manage the SoftPAC PLC via another service called SoftPAC Agent.
SoftPAC Monitor allows users to start/stop the PLC service and update the SoftPAC firmware by sending commands to SoftPAC Agent via TCP Port 22000. SoftPAC Agent is only intended to listen to commands from SoftPAC Monitor, but it also listens to 0.0.0.0, a non-routable meta-address used to designate an invalid or unknown targets. Under certain conditions, this could allow attackers to establish external remote connections with SoftPAC Agent (see diagram below).
Diagram: SoftPAC Agent is designed to manage SoftPAC PLC based on user commands received from SoftPAC Monitor, but under the right circumstances, it could be manipulated by an attacker via external remote connections.
Since the protocol used by SoftPAC Agent does not require any form of authentication, a remote attacker could potentially mimic SoftPAC Monitor, establish a remote connection, and execute start/stop service or firmware update commands. While an attacker could use start/stop commands to cause costly and potentially dangerous operational changes, the firmware update command is an area of even greater concern.
Through his research, Sapir determined that when SoftPAC Monitor issues firmware update commands, it sends SoftPAC Agent the path of the new firmware zip file, which wraps the executable file. Neither the firmware update zip file sent by SoftPAC Monitor nor the executable file contained within it are signed. As such, an attacker could send a malicious firmware update command via TCP Port 22000, and SoftPAC Agent would readily receive, extract, and install the executable.
Furthermore, the paths within firmware updates sent by SoftPAC Monitor are not sanitized. This results in a ‘zip slip’ vulnerability during the file’s extraction process, allowing an attacker to achieve arbitrary file write with SYSTEM privileges, which can be easily leveraged to execute malicious code.
In a lab environment, Claroty researchers chained the security flaws described above with DLL hijacking tactics to achieve full code execution in SoftPAC Agent with SYSTEM privileges.
Proof-of-concept GIF of fully chained attack carried out by Claroty’s white-hat researchers in a lab environment.
After initiating a connection with SoftPAC Agent, Claroty researchers used this connection to check whether SoftPAC PLC was currently running. Next, they sent a stop command to SoftPAC Agent to stop SoftPAC PLC. After stopping the PLC, they sent a firmware update command containing a network path to a malicious zip file. SoftPAC Agent extracted the zip file and dropped the malicious dynamic-link library (DLL) file it contained and placed in the same directory as SoftPAC’s executable. After delivering the malicious file, Claroty researchers sent a command to restart SoftPAC PLC, causing the malicious DLL to load, thus executing the code with SYSTEM privileges.
As part of the Claroty Research Team’s ongoing efforts to identify security flaws within OT environments, Sapir discovered the following CVEs in SoftPAC:
The MITRE ATT&CK classifications for attacks utilizing these CVEs include:
Since the vulnerabilities described above only affect SoftPAC Project versions 9.6 and prior, they can be mitigated by updating to the latest version of SoftPAC Project Professional or SoftPAC Project Basic.
If this update is not immediately feasible, CISA recommends the following measures for minimizing the likelihood of these vulnerabilities being exploited within your environment: