PLCnext Store Login / Register
Makers Blog

Using cnspec to find old firmware and misconfigurations on PLCnext Control

atomic111 23 February 2023 min. read
1,243 views 0 comments

As an example, let's take the PLCnext Control AXC F 2125 from Phonix Contact, which is based on the ARM Cortex-A9 processor and has an IEC 61131 runtime system. Cnspec is an open source tool that offers different options for scanning the Linux-based PLCnext Control to detect old firmware and misconfigurations. This guide provides a step-by-step instructions to scan a PLCnext Control via the cnspec SSH provider.

  1. Install cnspec on your notebook (Install Guide)

  2. Test the connection and establish a cnspec shell to the PLCnext Control by running the following command:

    cnspec shell ssh admin@192.168.1.10 --ask-pass

  3. Execute the following MQL command within the cnspec shell:

    file("/etc/plcnext/arpversion").content

As we can see, we were able to connect via SSH to the PLCnext Control and were able to execute the first MQL command.

→ loaded configuration from /home/user/.config/mondoo/mondoo.yml using source default
Enter password:              
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1
  ___ _ __  ___ _ __   ___  ___ 
 / __| '_ \/ __| '_ \ / _ \/ __|
| (__| | | \__ \ |_) |  __/ (__ 
 \___|_| |_|___/ .__/ \___|\___|
  mondoo™     |_|              
cnspec> file("/etc/plcnext/arpversion").content
file.content: "Arpversion: 23.0.0.65
GIT Commit Hash: d755854b5b21ecb8dca26b0a560e6842a0c638d7
Build Job: \"jenkins-PLCnext-Yocto_Targets-Yocto_AXCF2152-release%2F23.0.x-65\"
"

  1. Download the PLCnext Technology policy from the public cnspec-policies repository to perform a basic security check by running the following command:

    git clone https://github.com/mondoohq/cnspec-policies

Cloning into 'cnspec-policies'...
remote: Enumerating objects: 1075, done.
remote: Counting objects: 100% (149/149), done.
remote: Compressing objects: 100% (84/84), done.
remote: Total 1075 (delta 75), reused 115 (delta 61), pack-reused 926
Receiving objects: 100% (1075/1075), 699.81 KiB | 402.00 KiB/s, done.
Resolving deltas: 100% (690/690), done.

  2. Perform the following command to run a complete security scan on the PLCnext Control via SSH:

    cnspec scan ssh admin@192.168.1.10 -f cnspec-policies/community/mondoo-phoenix-plcnext-security.mql.yaml --ask-pass

The full ouput should look like this:

cnspec scan ssh admin@192.168.1.10 -f cnspec-policies/community/mondoo-phoenix-plcnext-security.mql.yaml --ask-pass
→ loaded configuration from /home/user/.config/mondoo/mondoo.yml using source default
Enter password:              
→ using service account credentials
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1

 axcf2152 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score: F


Asset: axcf2152
---------------

Controls:
✕ Fail:  Ensure SSH MaxAuthTries is set to 4 or less
✓ Pass:  Ensure secure permissions on SSH public host key files are set
✓ Pass:  Ensure only strong MAC algorithms are used
✓ Pass:  Ensure only strong ciphers are used
✓ Pass:  Ensure SSH IgnoreRhosts is enabled
✓ Pass:  Ensure SSH Idle Timeout Interval is configured
✕ Fail:  Ensure SSH password authentication is disabled
✓ Pass:  Ensure current system time is synchronized
✓ Pass:  Ensure only strong Key Exchange algorithms are used
✓ Pass:  Ensure SSH LoginGraceTime is set to one minute or less
✓ Pass:  Ensure SSH Protocol is set to 2
✓ Pass:  Ensure SSH root login is disabled or set to prohibit-password
✓ Pass:  Ensure SSH LogLevel is appropriate
✓ Pass:  Ensure SSH PermitUserEnvironment is disabled
✓ Pass:  Ensure SSH HostbasedAuthentication is disabled
✓ Pass:  Ensure SSH access is limited
✓ Pass:  Ensure secure permissions on SSH private host key files are set
✓ Pass:  Ensure SSH warning banner is configured
✕ Fail:  Ensure Firewall is active
✓ Pass:  Ensure SSH PermitEmptyPasswords is disabled
✓ Pass:  Ensure SSH X11 forwarding is disabled
✓ Pass:  Ensure latest PLCnext Firmware is installed


Scanned 1 assets

For detailed output, run this scan with "-o full".

The open-source cnspec security solution provides a comprehensive approach to identifying vulnerabilities and misconfigurations across both IT and OT systems. By regularly scanning your systems, you can proactively identify and fix potential security issues before they become a problem.

Note:

The Makers Blog shows applications and user stories of community members that are not tested or reviewed by Phoenix Contact. Use them at your own risk.

Discussion

Please login/register to comment

Login/Register

Leave a Reply

Newsletter
Never miss a new article
Sign up for the newsletter
Never miss news about PLCnext Technology
Get interesting content via newsletter four times a year
Receive exclusive information before all other users
Our newsletter service is free of charge and contains no obligation for you. You can unsubscribe at any time by using the unsubscribe link in the footer of each newsletter.
* = mandatory field
Legal information Site notice Data privacy
Phoenix Logo