thiagoralves / OpenPLC_v3

OpenPLC Runtime version 3
GNU General Public License v3.0
1.11k stars 452 forks source link

Responsible Vulnerability Disclosure Policy #225

Open koromodako opened 9 months ago

koromodako commented 9 months ago

Hi,

First of all, thank you for this great project đź‘Ť

I'd like to report some security issues. I'm looking for a responsible vulnerability disclosure policy that I should follow to report these vulnerabilities in a responsible way.

Thank you

koromodako commented 9 months ago

Looks like someone already reported a vulnerable dependency in #174, let me know if reporting is supposed to be done in public issues on this Github repository.

thiagoralves commented 9 months ago

Sure, you can disclose it here as an issue

koromodako commented 9 months ago

Here is a list of some issues and possible mitigation that could reduce associated risks.

Regarding webserver app, I noticed that:

thiagoralves commented 9 months ago

Thank you for the report. Just a few comments:

  1. This has been reported already in multiple other places and even CVEs. It is being addressed in the dev-python3 branch of the new runtime at github.com/autonomy-logic/OpenPLC_Runtime. Also, there are plans to add https support which will also protect against getting the hash over the wire.
  2. Noted
  3. Noted
  4. Given that OpenPLC is a Programmable Logic Controller, there must be ways for the user to inject his/her code, otherwise it wouldn’t be “programmable”. This is totally expected and is not a vulnerability, as the feature is behind authentication (you must be logged to be able to configure and enable PSM). So far there hasn’t been any reports of known ways to inject code unauthenticated
  5. Same as 4
koromodako commented 9 months ago

Thank you for this answer.

I'd like to elaborate a bit more on points 4. and 5.

Lets say that we have student training on a OpenPLC powered lab, how can we restrict access to the underlying layer (I mean the OS layer of the server running OpenPLC) ?

On a real PLC one can upload a program but should not be able to run code in OS, say VxWorks for instance (except in the presence of vulnerabilities).

There is a difference between being able to change the program running on an OpenPLC server and being able to tell this same server to shutdown adding a short piece of code in PSM based on some os.system call.

Maybe OpenPLC could setup a minimal Role-Based Access Control feature to prevent specific users from using features allowing to take over the underlying operating system. What I mean is that there is a difference between a server administrator and an OpenPLC user.

thiagoralves commented 9 months ago

You don't have to write code on PSM to make OS system calls. You can write that straight in the PLC program itself by declaring C under pragmas. Many other vendors (with a more open mindset) like PCWorkx, TwinCAT and even CODESYS allow that type of thing as well, where users can declare C code or make syscalls. If the user is restricted even to upload a new PLC program because of that, then the PLC is useless. This is not about security or vulnerability. This is about openness, and that's the concept behind OpenPLC, to be open, without restrictions. Obviously that comes with a risk if one does not know what he/she is doing. With great powers comes great responsibility. In case of students, just place the OpenPLC Runtime inside a VM. Then you get the isolation you need.