Î÷ÃÅ×Ó PLCÔ¶³Ì´úÂëÖ´Ðзì϶£¨CVE-2020-15782£©

°ä²¼¹¦·ò 2021-05-31

0x00 ·ì϶¸ÅÊö

CVE  ID

CVE-2020-15782

ʱ   ¼ä

2021-05-31

Àà   ÐÍ

RCE

µÈ   ¼¶

¸ßΣ

Ô¶³ÌÀûÓÃ

ÊÇ

Ó°ÏìÁìÓò


PoC/EXP

δ¹«¿ª

ÔÚÒ°ÀûÓÃ

·ñ

 

0x01 ·ì϶ÏêÇé

image.png

PLC£¨¿É±à³ÌÂß¼­½ÚÔìÆ÷£©ÊÇÒ»ÖÖרÃÅΪ¹¤Òµ»·¾³ÀûÓöøÉè¼ÆµÄÊý×ÖÔËËã²Ù×÷µç×Óϵͳ¡£ËüÑ¡È¡Ò»Öֿɱà³ÌµÄ´æ´¢Æ÷£¬ÔÚÆäÄÚ²¿´æ´¢Ö´ÐÐÂß¼­ÔËËã¡¢°¤´Î½ÚÔì¡¢°´Ê±¡¢¼ÆÊýºÍËãÊõÔËËãµÈ²Ù×÷µÄÖ¸Áͨ¹ýÊý×Öʽ»ò·ÂÕÕʽµÄÊäÈëÊä³öÀ´½ÚÔì¸÷ÖÖÀàÐ͵ĻúеÉ豸»ò³ö²ú¹ý³Ì¡£

2021Äê05ÔÂ28ÈÕ£¬ClarotyµÄ×êÑÐÈËÔ±¹«¿ªÅû¶ÁËSiemens£¨Î÷ÃÅ×Ó£©PLCÖеÄÒ»¸öÔ¶³Ì´úÂëÖ´Ðзì϶£¨CVE-2020-15782£©£¬ÆäCVSSÆÀ·ÖΪ8.1¡£¿ÉÄÜÍøÂç½Ó¼û TCP ¶Ë¿Ú 102 µÄÔ¶³Ì¹¥»÷ÕßÄܹ»ÀûÓø÷ì϶ÈƹýPLC CPUÖеÄPLCɳÏ䣬ÔÚÊܱ £»¤µÄÄÚ´æÇøÓòÖÐдÈë»ò¶ÁÈ¡Êý¾Ý£¬×îÖÕÔ¶³ÌÖ´ÐжñÒâ´úÂ룬ÇҸ÷ì϶ÎÞÐè¾­¹ýÉí·ÝÑéÖ¤¼´¿ÉÀûÓá£

¹¥»÷ÕßÄܹ»ÔÚ½ûÓýӼû± £»¤µÄ PLC ÉÏÀÄÓô˷ì϶£¬ÒÔ»ñµÃ PLC ÉÏÈκεØλµÄ¶Áд½Ó¼ûȨÏÞ²¢Ô¶³ÌÖ´ÐжñÒâ´úÂ룬²¢ÇÒÀûÓô˷ì϶µÄ¹¥»÷½«ºÜÄѱ»¼ì²â¡£

 

Ó°ÏìÁìÓò

image.png

 

 

0x02 ´ëÖý¨Òé

Ä¿Ç°SiemensÒѾ­½¨¸´ÁË´Ë·ì϶£¬½¨Òé²Î¿¼¹Ù·½°ä²¼µÄ°²È«Õ÷ѯʵʱÉý¼¶¸üÐÂ:

ÏÂÔØÁ´½Ó£º

https://cert-portal.siemens.com/productcert/pdf/ssa-434534.pdf

 

0x03 ²Î¿¼Á´½Ó

https://cert-portal.siemens.com/productcert/pdf/ssa-434534.pdf

https://claroty.com/2021/05/28/blog-research-race-to-native-code-execution-in-plcs/

https://securityaffairs.co/wordpress/118367/ics-scada/cve-2020-15782-siemens-plcs-flaw.html?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15782


0x04 ¹¦·òÏß

2021-05-28  Claroty¹«¿ªÅû¶·ì϶

2021-05-28  Siemens°ä²¼°²È«²¼¸æ

2021-05-31  VSRC°ä²¼°²È«¹«¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö³ß¶È¹ÙÍø£ºhttp://www.first.org/cvss/

image.png