Forescout Technologies has released information on vulnerabilities affecting operational technology (OT) products from Wago and Schneider Electric. These vulnerabilities were discovered during the OT:Icefall research, which has led to the public disclosure of 61 vulnerabilities affecting over 100 OT products from 13 vendors. Initially, 56 vulnerabilities were disclosed in June 2022, followed by three more in November 2022. Forescout is now adding two new vulnerabilities to the list and providing details on a previously identified but undisclosed issue.
The two new vulnerabilities, tracked as CVE-2023-1619 and CVE-2023-1620, affect Wago 750 controllers using the Codesys v2 runtime. These vulnerabilities could be exploited by an authenticated attacker to cause a denial-of-service (DoS) condition. Forescout explains that the first issue is due to a poor implementation of protocol parsers, while the second is an insufficient session expiration bug. An authenticated attacker can exploit these flaws to crash a device by sending a malformed packet or specific requests after being logged out, respectively. In both cases, returning the device to the operating state requires a manual reboot.
Wago 750 automation controllers are used in various sectors, including commercial facilities, energy, manufacturing, and transport. They support multiple protocols such as BACnet/IP, CANopen, DeviceNet Ethernet/IP, KNX, LonWorks, Modbus, and PROFIBUS. Forescout has also shared information on a high-severity vulnerability in Schneider Electric ION and PowerLogic product lines, which was identified in the first set of OT:Icefall bugs but not disclosed at the vendor's request. This issue, tracked as CVE-2022-46680, affects the power meters' ION/TCP protocol implementation, which transmits a user ID and password in plaintext with every message, exposing them to an attacker who can passively intercept traffic.
Forescout states, “An attacker who obtains ION or PowerLogic credentials can authenticate to the ION/TCP engineering interface as well as SSH and HTTP interfaces to change energy monitor configuration settings and potentially modify firmware. If the credentials in question are (re)used for other applications, their compromise could potentially facilitate lateral movement.” Although these devices should not be accessible from the internet, Forescout has discovered between 2,000 and 4,000 potentially unique devices exposed online. Most identified Wago controllers have the HTTP protocol exposed, while Schneider Electric meters expose the Telnet protocol. Wago devices are predominantly used in Europe (primarily in Germany, Turkey, and France), and ION meters are popular in North America.
Upon concluding the one-year OT:Icefall research project, Forescout observed several instances of incomplete patches, including some originating in software supply-chain components that led to new vulnerabilities. Most discovered flaws have had advisories issued (except for bugs in Emerson's Ovation distributed control system). The vendor response to OT:Icefall was generally positive, particularly when compared to the 2021 Project Memoria research, which identified approximately 100 vulnerabilities in TCP/IP stacks, for which only 22.5% of impacted vendors have issued advisories.