A plugin for the open source network security monitoring tool Zeek is affected by several vulnerabilities that threat actors could leverage in attacks aimed at industrial control system (ICS) environments.
The existence of the vulnerabilities was disclosed recently by the US security agency CISA. The agency’s ICS advisory describes two critical- and one high-severity vulnerabilities impacting the Ethercat plugin for Zeek. The security holes are tracked as CVE-2023-7244, CVE-2023-7243 and CVE-2023-7242.
The Ethercat plugin is one of the dozen ICS protocol parsers for Zeek, a widely used network security monitoring framework. Zeek is designed to run on a hardware, software or cloud system, quietly and unobtrusively observing network traffic for possible threats.
The Industrial Control System Network Protocol Parser (ICSNPP) plugins enhance Zeek’s capabilities, enabling it to look for malicious traffic associated with ICS-specific protocols such as Bacnet, Ethernet/IP, Modbus, OPC UA, S7comm, and Ethercat.
Cameron Whitehead of the University of Central Florida discovered that the Zeek plugin for the Ethercat industrial automation protocol is affected by potentially serious vulnerabilities. The researcher won several hacking competitions organized by the US Department of Energy in the past years.
According to the official Zeek website, the tool has more than 10,000 deployments worldwide, and Whitehead told SecurityWeek that while the impacted plugin is optional, it has been automatically bundled with Zeek in several popular security software suites, such as Security Onion.
This means the vulnerabilities could expose environments beyond ICS, where the impacted plugin is most likely to be present.
Exploitation of the vulnerabilities involves the attacker sending specially crafted packets over a network monitored by Zeek. In some cases this requires having access to the targeted organization’s network, but it may also be possible to conduct attacks directly from the internet.
However, the researcher noted, “It’s hard to assess the scale of how many systems are affected, since you can’t search for things like ‘zeek monitors this network’ on Shodan, since there is no public indicator.”
In the most simple attack scenario, an attacker could exploit one of the vulnerabilities to repeatedly crash the Zeek process. In such an attack, which is reliable and involves only sending a single UDP packet, the hacker can prevent the targeted entity from using Zeek to monitor the network.
In a more complex attack scenario, which involves exploitation of all three vulnerabilities, an attacker who has limited access to a machine running Zeek could execute arbitrary code with elevated privileges.
“Zeek is often run as the root or superuser in order to allow it to monitor a network, which would let the attacker significantly escalate their privileges by gaining access to that user,” Whitehead explained.
The most concerning theoretical attack scenario involves targeting systems where certain security features, such as ASLR, are disabled or not available.
“An attacker could trivially compromise a computer monitoring a network and gain access to the ability to view all traffic in the network, potentially being able to sniff confidential information,” the researcher said. “This also would give an attacker a foothold to stage further attacks from within a trusted place in the environment.”
“This is done by just sending a couple of UDP packets to any machine on the monitored network, which can likely be done from anywhere on the internet for many networks,” he added.
Whitehead said it took roughly six weeks for the Ethercat plugin vulnerabilities to get patched, noting that a major redesign was needed and most of the code logic has been changed.
The researcher has also tested some of the other ICS-specific Zeek plugins and found that they are not impacted by the Ethercat vulnerabilities or similar flaws.
“It was a kind of unusual situation where the Ethercat plugin specifically had a fairly different programming style and structure. A lot of what I do when I’m hunting for bugs is I look for code which seems to be different from what surrounds it. This code tends to have different, often worse, security considerations,” Whitehead explained.
Update: Shortly after this article was published, the developers of Security Onion released a blog post to inform users that the current version of the product includes the updated version of the plugin and is not affected by the vulnerabilities.
Related: Remote Stuxnet-Style Attack Possible With Web-Based PLC Malware: Researchers
Related: Mitsubishi Electric Factory Automation Flaws Expose Engineering Workstations
