SRC-2018-0007 : Beckoff TwinCAT3 Multiple Kernel Drivers Untrusted Pointer Dereference Privilege Escalation Vulnerabilities

CVE ID:

CVE-2018-7502

CVSS Score:

6.9, (AV:L/AC:H/Au:N/C:C/I:C/A:C)

Affected Vendors:

Beckoff

Affected Products:

TwinCAT3

Vulnerability Details:

This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of Beckoff TwinCAT3. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists when processing the 0x00222206 IOCTL in the following kernel drivers:

  1. TcAnalytics.sys
  2. TcCnc.sys
  3. TcIoBACnetR9.sys
  4. TcIoCCat.sys
  5. TcIoDrivers.sys
  6. TcIoECat.sys
  7. TcIoECatSimu.sys
  8. TcIoESlv.sys
  9. TcIoEth.sys
  10. TcIoEthIp.sys
  11. TcIoPNet.sys
  12. TcIotDrivers.sys
  13. TcNcObjects.sys
  14. TcPlc30.sys
  15. TcRouter.sys
  16. TcRtsObjects.sys
  17. TcIo.sys
  18. TcNc.sys
  19. TcRTime.sys

The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker could leverage this vulnerability to execute arbitrary code in the context of SYSTEM.

Vendor Response:

Beckoff has issued an update to correct these vulnerabilities. More details can be found at:
https://download.beckhoff.com/download/Document/product-security/Advisories/advisory-2018-001.pdf

Disclosure Timeline:

  • 2017-09-27 – Verified and sent to Beckoff and ICS-CERT
  • 2018-03-13 – Coordinated public release of advisory

Proof of Concept:

/pocs/src-2018-0007.py.txt

Credit:

This vulnerability was discovered by Steven Seeley (mr_me) of Source Incite