Full Report
Vulnerability in kernel drivers of Beckhoff TwinCAT 2 and 3.1 PLC software solutions for PLCs could allow local attackers to escalate privileges on target systems
Analysis Summary
# Vulnerability: Privilege Escalation in Beckhoff TwinCAT Kernel Drivers
## CVE Details
- **CVE ID:** CVE-2017-16744
- **CVSS Score:** 7.8 (High)
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) / CWE-20 (Improper Input Validation)
## Affected Systems
- **Products:** Beckhoff TwinCAT 2 and TwinCAT 3.1 PLC software solutions.
- **Versions:**
- TwinCAT 2.x (All versions)
- TwinCAT 3.1 (Versions prior to Build 4022.4)
- **Configurations:** Systems where the TwinCAT kernel drivers are installed and running on Windows-based PLC hardware or IPCs (Industrial PCs).
## Vulnerability Description
The vulnerability exists within the kernel-mode drivers of the Beckhoff TwinCAT runtime environment. Specifically, the drivers fail to properly validate the length of data passed from user-mode applications via IOCTL (Input/Output Control) calls. This lack of validation leads to a buffer overflow condition. Because the flaw exists at the kernel level, an attacker with low-privileged local access can execute arbitrary code with SYSTEM-level privileges, effectively taking full control of the host operating system.
## Exploitation
- **Status:** PoC confirmed (originally discovered/demonstrated by Kaspersky Lab researchers). No widespread reports of exploitation in the wild at the time of disclosure.
- **Complexity:** Low
- **Attack Vector:** Local (Requires the ability to execute code on the target system, such as through a low-privileged user account).
## Impact
- **Confidentiality:** High (Full access to all data on the system)
- **Integrity:** High (Ability to modify system files, PLC logic, and kernel memory)
- **Availability:** High (Potential to cause System Crash/BSOD or stop PLC operations)
## Remediation
### Patches
- **TwinCAT 3.1:** Upgrade to **Build 4022.4** or higher.
- **TwinCAT 2:** Users should contact Beckhoff support for specific security updates or migration paths, as the architecture requires specific versioning based on the OS.
### Workarounds
- **Least Privilege:** Restrict local access to the PLC/IPC to authorized administrative personnel only.
- **External Interfaces:** Ensure that the PLC is not accessible via RDP or other remote access protocols from untrusted networks to prevent the initial foothold required for local escalation.
## Detection
- **Indicators of compromise:** Unusual system crashes (BSOD) related to TwinCAT driver files (`TcSysSrv.sys` or similar kernel components).
- **Detection methods and tools:**
- Monitor for unauthorized processes running with `SYSTEM` privileges that were spawned by low-privileged user sessions.
- Consistency checks of TwinCAT binary files against known-good hashes provided by the vendor.
## References
- **Vendor Advisory:** hxxps[://]www[.]beckhoff[.]com/english/support/twincat_3_security_advisories.htm
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/reports/2018/03/26/serious-vulnerability-identified-in-beckhoff-twincat-plc-software-solution/
- **ICS-CERT (CISA) Advisory:** hxxps[://]www[.]cisa[.]gov/news-events/ics-advisories/icsa-18-095-03