Makers Blog

Using cnspec to find old firmware and misconfigurations on PLCnext Control

atomic111 23 February 2023 min. read
1,290 views 0 comments

As an example, let's take the PLCnext Control AXC F 2125 from Phonix Contact, which is based on the ARM Cortex-A9 processor and has an IEC 61131 runtime system. Cnspec is an open source tool that offers different options for scanning the Linux-based PLCnext Control to detect old firmware and misconfigurations. This guide provides a step-by-step instructions to scan a PLCnext Control via the cnspec SSH provider.

  1. Install cnspec on your notebook (Install Guide)

  2. Test the connection and establish a cnspec shell to the PLCnext Control by running the following command:

    cnspec shell ssh admin@192.168.1.10 --ask-pass
    
  3. Execute the following MQL command within the cnspec shell:

    file("/etc/plcnext/arpversion").content
    

As we can see, we were able to connect via SSH to the PLCnext Control and were able to execute the first MQL command.

→ loaded configuration from /home/user/.config/mondoo/mondoo.yml using source default
Enter password:              
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1
  ___ _ __  ___ _ __   ___  ___ 
 / __| '_ \/ __| '_ \ / _ \/ __|
| (__| | | \__ \ |_) |  __/ (__ 
 \___|_| |_|___/ .__/ \___|\___|
  mondoo™     |_|              
cnspec> file("/etc/plcnext/arpversion").content
file.content: "Arpversion: 23.0.0.65
GIT Commit Hash: d755854b5b21ecb8dca26b0a560e6842a0c638d7
Build Job: \"jenkins-PLCnext-Yocto_Targets-Yocto_AXCF2152-release%2F23.0.x-65\"
"
  1. Download the PLCnext Technology policy from the public cnspec-policies repository to perform a basic security check by running the following command:

    git clone https://github.com/mondoohq/cnspec-policies
    
    Cloning into 'cnspec-policies'...
    remote: Enumerating objects: 1075, done.
    remote: Counting objects: 100% (149/149), done.
    remote: Compressing objects: 100% (84/84), done.
    remote: Total 1075 (delta 75), reused 115 (delta 61), pack-reused 926
    Receiving objects: 100% (1075/1075), 699.81 KiB | 402.00 KiB/s, done.
    Resolving deltas: 100% (690/690), done.
    
  2. Perform the following command to run a complete security scan on the PLCnext Control via SSH:

    cnspec scan ssh admin@192.168.1.10 -f cnspec-policies/community/mondoo-phoenix-plcnext-security.mql.yaml --ask-pass
    

The full ouput should look like this:

cnspec scan ssh admin@192.168.1.10 -f cnspec-policies/community/mondoo-phoenix-plcnext-security.mql.yaml --ask-pass
→ loaded configuration from /home/user/.config/mondoo/mondoo.yml using source default
Enter password:              
→ using service account credentials
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1

 axcf2152 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score: F


Asset: axcf2152
---------------

Controls:
✕ Fail:  Ensure SSH MaxAuthTries is set to 4 or less
✓ Pass:  Ensure secure permissions on SSH public host key files are set
✓ Pass:  Ensure only strong MAC algorithms are used
✓ Pass:  Ensure only strong ciphers are used
✓ Pass:  Ensure SSH IgnoreRhosts is enabled
✓ Pass:  Ensure SSH Idle Timeout Interval is configured
✕ Fail:  Ensure SSH password authentication is disabled
✓ Pass:  Ensure current system time is synchronized
✓ Pass:  Ensure only strong Key Exchange algorithms are used
✓ Pass:  Ensure SSH LoginGraceTime is set to one minute or less
✓ Pass:  Ensure SSH Protocol is set to 2
✓ Pass:  Ensure SSH root login is disabled or set to prohibit-password
✓ Pass:  Ensure SSH LogLevel is appropriate
✓ Pass:  Ensure SSH PermitUserEnvironment is disabled
✓ Pass:  Ensure SSH HostbasedAuthentication is disabled
✓ Pass:  Ensure SSH access is limited
✓ Pass:  Ensure secure permissions on SSH private host key files are set
✓ Pass:  Ensure SSH warning banner is configured
✕ Fail:  Ensure Firewall is active
✓ Pass:  Ensure SSH PermitEmptyPasswords is disabled
✓ Pass:  Ensure SSH X11 forwarding is disabled
✓ Pass:  Ensure latest PLCnext Firmware is installed


Scanned 1 assets

For detailed output, run this scan with "-o full".

The open-source cnspec security solution provides a comprehensive approach to identifying vulnerabilities and misconfigurations across both IT and OT systems. By regularly scanning your systems, you can proactively identify and fix potential security issues before they become a problem.

Note:

The Makers Blog shows applications and user stories of community members that are not tested or reviewed by Phoenix Contact. Use them at your own risk.

Discussion

Please login/register to comment

Login/Register

Leave a Reply

Newsletter
Never miss a new article
Sign up for the newsletter
Never miss news about PLCnext Technology
Get interesting content via newsletter four times a year
Receive exclusive information before all other users