Team82 recently discovered three new Windows-based vulnerabilities in B&R Automation Studio, an integrated industrial automation software environment that supports a wide range of operational technology (OT) functions, including controls, human machine interfaces (HMIs), and safety. B&R Automation Studio is used globally, particularly among chemical, energy, and critical manufacturing companies.
The discovered vulnerabilities relate specifically to the product's update service, require a low level of skill to exploit, and can be leveraged through remote code execution. After being notified by Claroty, B&R Automation issued patches for these vulnerabilities, as well as a US-CERT advisory.
B&R Automation says it has not found evidence indicating any of the vulnerabilities discovered by Claroty have been used maliciously. That being said, Preminger and Anikster's findings provide an illustrative example of how an attacker can leverage software vulnerabilities to exploit computers used for engineering work within an OT environment.
The specific nature of the vulnerabilities uncovered by Claroty are as follows:
Improper privilege management (CVE-2019-19100): This privilege escalation vulnerability could allow authenticated users to delete arbitrary files via an exposed interface.
Missing required cryptographic step (CVE-2019-19101): This missing security communication definition, which leads to incomplete TLS encryption and validation, can enable unauthenticated users to perform man-in-the middle (MITM) attacks via the B&R upgrade server.
Path traversal (CVE-2019-19102): This directory traversal vulnerability in SharpZipLib, also known as a "zip slip," allows unauthenticated users to write to certain local directories.
According to Preminger, an attacker could combine the missing required cryptographic step with the path traversal vulnerability to intervene during a software update, conduct a MITM attack, and install their own malicious code within a victim's network. Leveraging these vulnerabilities, a threat actor could conduct a DNS cache poisoning attack against computers within an OT network while posing as the B&R update server to avoid detection.
In a DNS cache poisoning attack, also known as DNS spoofing, an adversary diverts traffic to a malicious destination while altering DNS records to create the impression of normal, legitimate activity. "This attack is based on hijacking a domain, which becomes much easier if the attacker has gained access to a closed ICS network," Preminger explained in a recent interview with SecurityWeek. "Often, there are no DNS servers to respond to the client. Windows will fallback to local discovery protocols, which are easier to deceive."
B&R Automation recommends applying product updates at the earliest convenience and has provided several workaround mitigations for users unable to upgrade immediately.
To learn more about how Claroty can help your team discover and mitigate vulnerabilities within your OT environment, request a demo.
CWE-23 RELATIVE PATH TRAVERSAL:
An 'Arbitary File Deletion' in Samsung DMS (Data Management Server) allows attackers to delete arbitary files from unintended locations on the filesystem. Exploitation is restricted to specific, authorized private IP addresses.
Samsung recommends users to contact a Samsung call center or installer for a software update.
This product is not intended to be connected to the Internet, so please disconnect it from the Internet. Refer to the following statement in the manual: "Use this product only in a separate dedicated network. Samsung Electronics is not liable for any problems caused by connecting it to the Internet or an intranet."
CVSS v3: 8.1
CWE-22 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL'):
An 'Arbitary File Creation' in Samsung DMS (Data Management Server) allows attackers to create arbitary files in unintended locations on the filesystem. Exploitation is restricted to specific, authorized private IP addresses.
Samsung recommends users to contact a Samsung call center or installer for a software update.
This product is not intended to be connected to the Internet, so please disconnect it from the Internet. Refer to the following statement in the manual: "Use this product only in a separate dedicated network. Samsung Electronics is not liable for any problems caused by connecting it to the Internet or an intranet."
CVSS v3: 7.2
CWE-22 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY PATHNAME TO A A RESTRICTED DIRECTORY ('PATH TRAVERSAL'):
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Samsung DMS (Data Management Server) allows authenticated attackers to create arbitary files in unintended locations on the filesystem.
Samsung recommends users to contact a Samsung call center or installer for a software update.
This product is not intended to be connected to the Internet, so please disconnect it from the Internet. Refer to the following statement in the manual: "Use this product only in a separate dedicated network. Samsung Electronics is not liable for any problems caused by connecting it to the Internet or an intranet."
CVSS v3: 7.1
CWE-36 ABSOLUTE PATH TRAVERSAL:
Absolute Path Traversal in Samsung DMS (Data Management Server) allows authenticated attacker (Administrator) to read sensitive files.
Samsung recommends users to contact a Samsung call center or installer for a software update.
This product is not intended to be connected to the Internet, so please disconnect it from the Internet. Refer to the following statement in the manual: "Use this product only in a separate dedicated network. Samsung Electronics is not liable for any problems caused by connecting it to the Internet or an intranet."
CVSS v3: 4.9
CWE-502 DESERIALIZATION OF UNTRUSTED DATA:
Deserialization of Untrusted Data in Samsung DMS (Data Management Server) allows attackers to execute arbitary code via write file to system.
Samsung recommends users to contact a Samsung call center or installer for a software update.
This product is not intended to be connected to the Internet, so please disconnect it from the Internet. Refer to the following statement in the manual: "Use this product only in a separate dedicated network. Samsung Electronics is not liable for any problems caused by connecting it to the Internet or an intranet."
CVSS v3: 8.0