You may have heard about the discovery of CVE-2020-16226, a serious vulnerability whereby an attacker can fake their identity and the device will accept it, allowing the intruder to move on to remote command execution. In the hands of a bad actor, this vulnerability has tremendous potential to compromise a factory’s assets. All-in-all, 60 devices are affected – see a list of them here, on Information Security Newspaper. This vulnerability was submitted by TXOne’s own Ta-Lun Yen, one of our very own task force of threat researchers, working together with The Zero Day Initiative (ZDI).
The vulnerability is based in the nature of TCP/IP protocols. As they are “stateful”, they must maintain a state to be able to talk to each other. Each TCP packet must have an acknowledge (ACK) and a sequence (SEQ) number. As each packet is sent to the other side, the device must attach its previously received ACK number as a SEQ number, and normally any packet received without a valid SEQ must be discarded. For this reason, it’s extremely important not to pick predictable values for your first SEQ number.
In this case, an internal clock (time from power on) was used as the first SEQ number, making it predictable. This made it possible for an intruder to inject packets into the connection between the PLC and PC. Our assumption is that this source code was shared between different models, hence the long list of affected devices.
New threats such as this are emerging on the internet every day. It’s vital to use cyber defense solutions that are constantly being adapted to block new vulnerabilities from exploitation. In the present threat environment, this is the only way to maintain a modern factory and keep it functioning at full speed while also protecting stakeholders from liability.
To prevent this and similar vulnerabilities from affecting your work site, we recommend that you:
- Deploy network segmentation using assets maintained by a threat research team, like EdgeFire and EdgeIPS
- Keep assets patched and up-to-date as much as possible
- Regularly scan computers that interface with affected devices for malware using up-to-date signatures
- Use a VPN or firewall
- Place potentially vulnerable assets within a secured LAN