| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| MULTIPROG | all versions | |
| ProConOS eCLR (SDK) | all versions |
Increased Security attacks against OT infrastructure and research of Dragos makes it necessary to publish this advisory giving users hints according to basic security measures to support automation systems using existing devices based on ProConOS/ProConOS eCLR.
ProConOS/ProConOS eCLR controller runtime system has been offered as a Software Development Kit (SDK) to automation suppliers that build their own automation devices. ProConOS/ProConOS eCLR is embedded into automation suppliers’ hardware, real-time operating systems (RTOS), firmware, and I/O systems.
The application (e.g.: logic files, executable logic, configurations) had been designed without integrity and authenticity check which was state of the art when developing the products.
Logic files generated by MULTIPROG Engineering tool could be manipulated on the engineering station and loaded into the PLC without tamper detection. In addition, tampering can be done by specially designed attacks in such a way that it remains hidden, and the logic program modifies its own code, making it difficult to determine the impact of a malicious program.
Users need to check with their device vendors if they are affected by this attack vulnerability or if the specific device integration mitigates this attack vector.
Incorrect Permission Assignment for Critical Resource vulnerability in PHOENIX CONTACT MULTIPROG, PHOENIX CONTACT ProConOS eCLR (SDK) allows an unauthenticated remote attacker to upload arbitrary malicious code and gain full access on the affected device.
The identified vulnerabilities allow attackers to generate applications or upload them with arbitrary malicious code once they have access to the engineering station or communication to devices using ProConOS eCLR. This vulnerability affects all versions of ProConOS eCLR and MULTIPROG from Phoenix Contact (formerly KW-Software).
Mitigation
Industrial controllers based on ProConOS eCLR runtime are typically designed for use in closed industrial networks with a defense-in-depth approach focusing on network segmentation. In such an approach, the production facility is protected from attacks, especially from the outside, by a multi-level perimeter including firewalls as well as the division of the facility into OT zones using firewalls. This concept is supported by organizational measures in the production plant as part of a security management system. To achieve security here, measures are required at all levels. Engineering stations using MULTIPROG must also be part of closed industrial networks.
Manufacturers who use ProConOS eCLR runtime in their automation devices are recommended to review their implementation and, if necessary, publish corresponding advisories for their products.
Users of automation devices that use MULTIPROG Engineering and ProConOS eCLR runtime in their automation systems must check whether their application requires additional security measures. These include, for example, adequate defense-in-depth network architecture, the use of virtual private networks (VPNs) for remote access, and the use of firewalls for network segmentation or controller isolation. Users should review their manufacturer's security advisories for more appropriate information about their specific device.
Users should ensure that logic is always transmitted or stored in protected environments. This applies both to data in transmission and to data at rest. Connections between engineering tools and the controller must always be protected in a locally protected environment or via VPN for remote access. Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks.
Project data should only be stored in protected environments.
For general information and recommendations on security measures to protect network-enabled
devices, refer to the application note: Application Note Security
This vulnerability was reported by Reid Wightman at Dragos, Inc.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.