Several bugs found by researchers in the B&R Automation Automation Studio program make attacks through OT networks easier for malicious actors. The seller has begun to issue patches.
B&R Automation is an Austrian automation company that offers industrial PC, HMI, PLC, protection, motion control, and communication products. Automation Studio is an automation system that covers every aspect off production and run-time environment, including power, HMIs, operation, and security.
According to the United States, The Company’s products are used globally, in particular in the oil, chemical, and critical industries, Cybersecurity and Infrastructure Security Agency (CISA). CISA released an alert last week to warn organizations about vulnerabilities.
Researchers from the industrial cybersecurity company Claroty have found that Version 4 of B&R Automation Studio has three vulnerabilities, which can be very useful to malicious hackers who have access to the Industrial Control Systems (ICS) of a target organization.
“:The combination of these two vulnerabilities gives an attacker with access to the victim network the ability to conduct an MITM attack and intervene in the software update process,” Preminger explained. “A malicious attacker could hijack the initial DNS request to the B&R update server and direct the update utility to retrieve the updates from his own site. Since there was no proper verification of the update server or the update package, at this point the attacker could exploit the path traversal through the update vulnerability, and execute their own code on the Automation Studio host in SYSTEM privileges.”
The expert added, “This attack is based on hijacking a domain, which becomes much easier if the attacker has gained access to a closed ICS network, where often there are no DNS servers to respond to the client, and Windows will fallback to local discovery protocols which are easier to deceive.”
Preminger identified a scenario in which an assailant with access to the Automation Studio network would perform a DNS poisoning attack on engineering machines and claim to be the B&R update server. The attacker will then use the weakness to execute code to compromise such engineering workstations.
“Once the attacker gains a foothold in the ICS network, they can use a variety of targeted ICS vulnerabilities to attack programmable logic controllers (PLCs) and other critical equipment in the ICS network,” Preminger said. “An example of such a payload can be a DoS attack on B&R PLCs, such as the one that Claroty discovered in the B&R PLC SNMP server.”
B&R said it did not find any evidence that any of these vulnerabilities were used for malicious purposes.
The vendor has released patches for some of the versions affected and is working on updates for the other versions. It also shared some tips on how to avoid attacks.
