Î÷ÃÅ×Ó PLCÔ¶³Ì´úÂëÖ´Ðзì϶£¨CVE-2020-15782£©

°ä²¼¹¦·ò 2021-05-31

0x00 ·ì϶¸ÅÊö

CVE  ID

CVE-2020-15782

ʱ   ¼ä

2021-05-31

Àà   ÐÍ

RCE

µÈ   ¼¶

¸ßΣ

Ô¶³ÌÀûÓÃ

ÊÇ

Ó°ÏìÁìÓò


PoC/EXP

δ¹«¿ª

ÔÚÒ°ÀûÓÃ

·ñ

 

0x01 ·ì϶ÏêÇé

image.png

PLC£¨¿É±à³ÌÂß¼­½ÚÔìÆ÷£©ÊÇÒ»ÖÖרÃÅΪ¹¤Òµ»·¾³ÀûÓöøÉè¼ÆµÄÊý×ÖÔËËã²Ù×÷µç×Óϵͳ ¡£¡£¡£¡£¡£¡£¡£¡£ËüÑ¡È¡Ò»Öֿɱà³ÌµÄ´æ´¢Æ÷£¬£¬£¬£¬£¬£¬£¬£¬ÔÚÆäÄÚ²¿´æ´¢Ö´ÐÐÂß¼­ÔËËã¡¢°¤´Î½ÚÔì¡¢°´Ê±¡¢¼ÆÊýºÍËãÊõÔËËãµÈ²Ù×÷µÄÖ¸Á£¬£¬£¬£¬£¬£¬£¬Í¨¹ýÊý×Öʽ»òÄ£ÄâʽµÄÊäÈëÊä³öÀ´½ÚÔì¸÷ÖÖÀàÐ͵ĻúеÉ豸»ò³ö²ú¹ý³Ì ¡£¡£¡£¡£¡£¡£¡£¡£

2021Äê05ÔÂ28ÈÕ£¬£¬£¬£¬£¬£¬£¬£¬ClarotyµÄ×êÑÐÈËÔ±¹«¿ªÅû¶ÁËSiemens£¨Î÷ÃÅ×Ó£©PLCÖеÄÒ»¸öÔ¶³Ì´úÂëÖ´Ðзì϶£¨CVE-2020-15782£©£¬£¬£¬£¬£¬£¬£¬£¬ÆäCVSSÆÀ·ÖΪ8.1 ¡£¡£¡£¡£¡£¡£¡£¡£¿ÉÄÜÍøÂç½Ó¼û TCP ¶Ë¿Ú 102 µÄÔ¶³Ì¹¥»÷ÕßÄܹ»ÀûÓø÷ì϶ÈƹýPLC CPUÖеÄPLCɳÏ䣬£¬£¬£¬£¬£¬£¬£¬ÔÚÊܱ£»£»£»£»£»¤µÄÄÚ´æÇøÓòÖÐдÈë»ò¶ÁÈ¡Êý¾Ý£¬£¬£¬£¬£¬£¬£¬£¬×îÖÕÔ¶³ÌÖ´ÐжñÒâ´úÂ룬£¬£¬£¬£¬£¬£¬£¬ÇҸ÷ì϶ÎÞÐè¾­¹ýÉí·ÝÑéÖ¤¼´¿ÉÀûÓà ¡£¡£¡£¡£¡£¡£¡£¡£

¹¥»÷ÕßÄܹ»ÔÚ½ûÓýӼû±£»£»£»£»£»¤µÄ PLC ÉÏÀÄÓô˷ì϶£¬£¬£¬£¬£¬£¬£¬£¬ÒÔ»ñµÃ PLC ÉÏÈκεØλµÄ¶Áд½Ó¼ûȨÏÞ²¢Ô¶³ÌÖ´ÐжñÒâ´úÂ룬£¬£¬£¬£¬£¬£¬£¬²¢ÇÒÀûÓô˷ì϶µÄ¹¥»÷½«ºÜÄѱ»¼ì²â ¡£¡£¡£¡£¡£¡£¡£¡£

 

Ó°ÏìÁìÓò

image.png

 

 

0x02 ´ëÖý¨Òé

Ä¿Ç°SiemensÒѾ­½¨¸´ÁË´Ë·ì϶£¬£¬£¬£¬£¬£¬£¬£¬½¨Òé²Î¿¼¹Ù·½°ä²¼µÄ°²È«Õ÷ѯʵʱÉý¼¶¸üÐÂ:

ÏÂÔØÁ´½Ó£º

https://cert-portal.siemens.com/productcert/pdf/ssa-434534.pdf

 

0x03 ²Î¿¼Á´½Ó

https://cert-portal.siemens.com/productcert/pdf/ssa-434534.pdf

https://claroty.com/2021/05/28/blog-research-race-to-native-code-execution-in-plcs/

https://securityaffairs.co/wordpress/118367/ics-scada/cve-2020-15782-siemens-plcs-flaw.html?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15782


0x04 ¹¦·òÏß

2021-05-28  Claroty¹«¿ªÅû¶·ì϶

2021-05-28  Siemens°ä²¼°²È«²¼¸æ

2021-05-31  VSRC°ä²¼°²È«¹«¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö³ß¶È¹ÙÍø£ºhttp://www.first.org/cvss/

image.png