Arduino is a leading Italian company that designs and produces ubiquitous single-board microcontrollers and microcontroller kits for building digital devices. Their products are historically open-source technologies, simple, cost effective, and easy to use and deploy.
Recently, Arduino launched a new product named Arduino Opta: a microPLC (Programmable Logic Controller) with industrial IoT capabilities. This device is intended to be deployed in industrial automation facilities and control system architectures. To enable software developers to utilize and deploy their devices, Arduino provides a large set of libraries distributed within an IDE (Integrated Development Environment), used to write customized applications. The Arduino Opta is fully integrated with this development platform.
Nozomi Networks Labs analyzed the Opta device for potential vulnerabilities to disclose to the vendor and user community.
Our security research revealed four vulnerabilities on the Arduino Create Agent software (used to configure Arduino Opta devices), that could lead to the elevation of privileges of a local user and the arbitrary deletion of protected files. In response to our disclosure, Arduino applied the required patches to the open-source Arduino Create Agent repository. The updated software version is available for download on the official website.
Background
The Arduino IDE software is accessible both as a local download or through the Arduino cloud infrastructure via web connection. To connect over the web, Arduino devices require an agent service called Arduino Create Agent that acts as a communication bridge between the browser and the Arduino device connected to the workstation through a USB cable. The cloud-based IDE reachable on the Arduino web platform is shown in Figure 1.
The Arduino Create Agent software is an open-source application that, once installed locally, exposes a set of HTTP/HTTPS APIs required to allow the web browser to perform low level operations on Arduino connected devices (e.g.: flash a new firmware through the USB interface). The main architecture is described in Figure 2.
The Arduino Create Agent installation is prompted automatically when a user interacts with the web-based Arduino IDE (Figure 3).
Once installed, the Arduino Create Agent executes as a web service running locally and bound to the localhost interface. The communication between the browser and the local agent is HTTP based and HTTPScan be optionally enabled.
Arduino Create Agent Vulnerabilities Found:
Below is a list of all 4 vulnerabilities discovered by Nozomi Networks Labs, ranked by severity:
High risk
- CVE-2023-43802 : Path Traversal (CWE-35), CVSS v3.1 Base Score 7.3 (CVSS:3.1/A AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)
- CVE-2023-43800: Insufficient Verification of Data Authenticity (CWE-345), CVSS v3.1 Base Score 7.3 (CVSS:3.1/ AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)
Medium risk
- CVE-2023-43801: Path Traversal (CWE-35), CVSS v3.1 Base Score 6.1 (CVSS:3.1/ AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L)
- CVE-2023-43803: Path Traversal (CWE-35), CVSS v3.1 Base Score 6.1 (CVSS:3.1/ AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L)
All the vulnerabilities affect the Arduino Create Agent up to version 1.3.2 included (latest version at the time of the analysis).
Impacts
The most high risk vulnerabilities are CVE-2023-43802 and CVE-2023-43800. Both allow an attacker with access to the system to escalate their privileges to that of a user with credentials for the Arduino Create Agent service. The impact of the privilege escalation depends on the configuration of the workstation where the Arduino Create Agent service is running. This is a common scenario, since engineering workstations are accessed by multiple operators with different accounts. A user with a standard account could try to impersonate a different one or eventually acquire a higher privileged account gaining the ability to execute privileged operations on the system that normally should be denied, such as shutting down the system. The issue could be exploited not only by a physical user (e.g.: an operator of the workstation) but also by another software with local privileges running on it, such as a malware that infected the system and exploits the vulnerability.
The CVE-2023-43802 vulnerability is a Path Traversal that leads to an arbitrary file overwriting on the system, while CVE-2023-43800 is an Insufficient Verification of Data Authenticity that allows an attacker to replace a component of the Arduino Create Agent service and afterwards invoke its execution. Both vulnerabilities, when exploited, would allow an attacker to perform arbitrary code execution on the system in the context of the Arduino Create Agent service running on it, leading to the privilege escalation scenarios described above.
CVE-2023-43801 and CVE-2023-43803 are two Path Traversal vulnerabilities that can be abused in the same way. A low privileged user with access to the system can exploit these vulnerabilities to delete arbitrary files and folders owned by the user that runs the Arduino Create Agent service, such as reserved documents or critical system configuration files if the vulnerable agent has been started with a high-privileged account. In this case these vulnerabilities can be abused not only by a physical user interacting with the workstation, but also by a malware that infected the system to corrupt it in terms of availability, by deleting protected resources.
All of the vulnerabilities described require local access to the device (a user interacting with the system or a malicious software running on it) due to the CORS policy (Cross-Origin Resource Sharing) implemented in the Arduino Create Agent. A threat actor could potentially exploit an additional vulnerability allowing them to generate a trusted HTTP request (e.g.: a Cross Site scripting attack on the create.arduino.cc web application) to interact remotely with the Arduino Create Agent service running locally on the workstation machine. This step and attack chain would allow the remote exploitation of the vulnerabilities described.
Nozomi Networks Labs has not conducted security research on the web applications hosted on the domain *.arduino.cc, and the security posture of the cloud-based Arduino web editor is out of scope for this blog.
Recommended Mitigations
After our disclosure, Arduino quickly applied proper fixes to the Arduino Create Agent service that have been included in the official update released 1.3.3 and are available for download in the official repository. We recommend users who work with the Arduino Web Editor to quickly upgrade the Arduino Create Agent to the latest version in order to prevent any abuse of their systems.
Summary
PLC devices are widely used in industrial automation facilities and their security level is critical to avoid unauthorized access to services or resources that should be protected by external entities. The Arduino Create Agent service could be potentially installed inside an industrial facility workstation used by engineers to program the PLC devices, representing an attack surface to be exploited to access and manipulate systems, services or resources.
In this blog we revealed four vulnerabilities affecting the Arduino Create Agent service, a mandatory software component required to utilize the cloud-based Arduino web editor IDE in order to program the Arduino Opta microPLC device. We invite the asset owners to review their development ecosystems and download and install the latest Arduino Create Agent software from the official website.
