Î÷ÃÅ×Ó PLCÔ¶³Ì´úÂëÖ´ÐÐÎó²î£¨CVE-2020-15782£©

Ðû²¼Ê±¼ä 2021-05-31

0x00 Îó²î¸ÅÊö

CVE  ID

CVE-2020-15782

ʱ   ¼ä

2021-05-31

Àà   ÐÍ

RCE

µÈ   ¼¶

¸ßΣ

Ô¶³ÌʹÓÃ

ÊÇ

Ó°Ïì¹æÄ£


PoC/EXP

δ¹ûÕæ

ÔÚҰʹÓÃ

·ñ

 

0x01 Îó²îÏêÇé

image.png

PLC£¨¿É±à³ÌÂß¼­¿ØÖÆÆ÷£©ÊÇÒ»ÖÖרÃÅΪ¹¤ÒµÇéÐÎÓ¦ÓöøÉè¼ÆµÄÊý×ÖÔËËã²Ù×÷µç×Óϵͳ¡£¡£¡£¡£¡£Ëü½ÓÄÉÒ»Öֿɱà³ÌµÄ´æ´¢Æ÷£¬£¬£¬£¬£¬£¬ÔÚÆäÄÚ²¿´æ´¢Ö´ÐÐÂß¼­ÔËË㡢˳Ðò¿ØÖÆ¡¢×¼Ê±¡¢¼ÆÊýºÍËãÊõÔËËãµÈ²Ù×÷µÄÖ¸Á£¬£¬£¬£¬£¬Í¨¹ýÊý×Öʽ»òÄ£ÄâʽµÄÊäÈëÊä³öÀ´¿ØÖÆÖÖÖÖÀàÐ͵Ļúеװ±¸»òÉú²úÀú³Ì¡£¡£¡£¡£¡£

2021Äê05ÔÂ28ÈÕ£¬£¬£¬£¬£¬£¬ClarotyµÄÑо¿Ö°Ô±¹ûÕæÅû¶ÁËSiemens£¨Î÷ÃÅ×Ó£©PLCÖеÄÒ»¸öÔ¶³Ì´úÂëÖ´ÐÐÎó²î£¨CVE-2020-15782£©£¬£¬£¬£¬£¬£¬ÆäCVSSÆÀ·ÖΪ8.1¡£¡£¡£¡£¡£Äܹ»ÍøÂç»á¼û TCP ¶Ë¿Ú 102 µÄÔ¶³Ì¹¥»÷Õß¿ÉÒÔʹÓøÃÎó²îÈƹýPLC CPUÖеÄPLCɳÏ䣬£¬£¬£¬£¬£¬ÔÚÊܱ £»£»£»£»£»£»¤µÄÄÚ´æÇøÓòÖÐдÈë»ò¶ÁÈ¡Êý¾Ý£¬£¬£¬£¬£¬£¬×îÖÕÔ¶³ÌÖ´ÐжñÒâ´úÂ룬£¬£¬£¬£¬£¬ÇÒ¸ÃÎó²îÎÞÐè¾­ÓÉÉí·ÝÑéÖ¤¼´¿ÉʹÓᣡ£¡£¡£¡£

¹¥»÷Õß¿ÉÒÔÔÚ½ûÓûá¼û± £»£»£»£»£»£»¤µÄ PLC ÉÏÀÄÓôËÎó²î£¬£¬£¬£¬£¬£¬ÒÔ»ñµÃ PLC ÉÏÈκÎλÖõĶÁд»á¼ûȨÏÞ²¢Ô¶³ÌÖ´ÐжñÒâ´úÂ룬£¬£¬£¬£¬£¬²¢ÇÒʹÓôËÎó²îµÄ¹¥»÷½«ºÜÄѱ»¼ì²â¡£¡£¡£¡£¡£

 

Ó°Ïì¹æÄ£

image.png

 

 

0x02 ´¦Öóͷ£½¨Òé

ÏÖÔÚSiemensÒѾ­ÐÞ¸´ÁË´ËÎó²î£¬£¬£¬£¬£¬£¬½¨Òé²Î¿¼¹Ù·½Ðû²¼µÄÇå¾²×ÉѯʵʱÉý¼¶¸üÐÂ:

ÏÂÔØÁ´½Ó£º

https://cert-portal.siemens.com/productcert/pdf/ssa-434534.pdf

 

0x03 ²Î¿¼Á´½Ó

https://cert-portal.siemens.com/productcert/pdf/ssa-434534.pdf

https://claroty.com/2021/05/28/blog-research-race-to-native-code-execution-in-plcs/

https://securityaffairs.co/wordpress/118367/ics-scada/cve-2020-15782-siemens-plcs-flaw.html?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15782


0x04 ʱ¼äÏß

2021-05-28  Claroty¹ûÕæÅû¶Îó²î

2021-05-28  SiemensÐû²¼Ç徲ͨ¸æ

2021-05-31  VSRCÐû²¼Ç徲ͨ¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö±ê×¼¹ÙÍø£ºhttp://www.first.org/cvss/

image.png