Walkthrough on Finding Vulnerabilities on CODESYS Webvisu and ifm SmartPLC

1. Introduction

The insider or intruder can compromise the Operational Technology (OT) assets and affect the journey of Digital Transformation (DX) when cybersecurity is not in place.

In this article, we will highlight web security issues related to Identification and Authentication Control (IAC) in OT products that might be used by manufacturers in their production plant. We will also illustrate the steps we technically conduct the assessment.

Before we conduct the assessment on these OT assets, let’s have a brief introduction of these technologies we will be shown in this article.

CODESYS Webvisu

CODESYS Webvisu is a web-based Human Machine Interface (HMI) that provide visualization to operators to monitor or control physical process within the industrial environment. HMI also helps operators to produce required process results or products effectively.

Image retrieved from https://www.codesys.com/products/codesys-visualization/webvisu.html

ifm SmartPLC

AS-Interface EtherCAT gateway with PLC

ifm SmartPLC is a Programmable Logic Controllers (PLC) that provide the functionalities to:-

1. retrieve inputs (E.g. temperature value) from sensors
2. control the actuators or valves (E.g. shut down the temperature control)

PLC will also communicate with the external component, such as HMI. It is programmable using a development tool, such as CODESYS installed on Engineering Workstation (EWS).

Image retrieved from https://www.codesys.com/products/codesys-visualization/webvisu.html

After we understand the architecture, now we will proceed to the vulnerability assessment for CODESYS Webvisu and ifm SmartPLC.

Part 1: CODESYS Webvisu

1.1 Access to CODESYS WebVisu Web Application

We can access to CODESYS WebVisu web application with the URL below. By default, the name of .htm file is webvisu.

http://<IP Address of WebVisu Server>:8080/<Name of .htm file>.htm

webvisu.js is one of the indicators that show the HMI is built using CODESYS WebVisu.

1.2 Looking for Publicly Disclosed Vulnerability

After understanding the technology used, we try to search the publicly known vulnerabilities related to this product. Security Focus is one of the good places for us to check it out.

We found there is a vulnerability related to password disclosure, but no exploitation code is available.

Would it be possible for the passwords to be stored in a file? To figure it out, we have to understand the file structure of WebVisu server.

1.2 File Structure of WebVisu Server

Google Hacking is performed to search GitHub repositories with the filename of imagepoolcollection.csv.

site:github.com "imagepoolcollection.csv"

Google results returned

We locate the file with imagepoolcollection.csv keyword inside ProjetAutomneAutomatisme GitHub repository. Two questions raised in my mind now:

1. Why there is port_851 in front of the file?
2. The file next to imagepoolcollection.csv, “Visu User Management Database” seems interesting!

We open visuusermgmtdb.csv, it shows a list of the users with hash password! We gonna try it on our target machine. Before that, we have to identify the meaning of port_851.

Apart from imagepoolcollection.csv, The file with filename extension .cfg.json is also loaded in our WebVisu server. We try to look into the content of webvisu.cfg.json. Now we know that Port_851 is referring to an Application.

1.3 Unauthenticated Password Hash Disclosure in CODESYS WebVisu

After getting the Application name from the target WebVisu server, we try to send an HTTP request to the server with the file with the format:

<Application>_visuusermgmtdb.csv 

The server returned with a list of users and the hash password!

Remark: In this article, we will not demonstrate how to obtain the plain text password from the hash passwords.

Imagine if the passwords are known to the adversary, he could log in to HMI and manipulate the physical process (T0831 Manipulation of Control).

Part 2: ifm SmartPLC

2.1 Access to ifm SmartPLC Web Console

We can access to ifm SmartPLC web console easily with the URL below:

http://<IP Address of ifm SmartPLC>

After we access the web console, surprisingly the login status at the top right corner shows we are logged in?!

In ifm SmartPLC device manual, we found a piece of interesting information. System Engineer is required to log off manually before he leaves the web console, otherwise, the system will remain logged in!

SmartPLC DataLine with EtherCAT slave interface Device manual, page 34

2.2 Broken Authentication on ifm SmartPLC

If the engineer forgets to log off, an adversary is allowed to stop PLC and disrupt the manufacturing process without having to authenticate!

Conclusion

In this article, we had demonstrated web security issues related to Identification and Authentication Control (IAC) in CODESYS WebVisu and ifm SmartPLC.

Broken authentication will result in operational disruptions. To ensure quality and delivery in a production plant, it is necessary to implement security controls within OT assets.