A critical heap-based buffer overflow flaw in a web server for the CODESYS automation software for engineering control systems could be exploited by a remote, unauthenticated attacker to crash a server or execute arbitrary code.
CODESYS is a software platform, developed by the German company Smart Software Solutions, used in the automation industry for programming controller applications.
The CODESYS web server is used by the CODESYS WebVisu to display CODESYS visualization screens in a
The flaw tracked as CVE-2020-10245 is easy to exploit, it received a severity rate of 10 out of 10 on the CVSS v.2. A heap overflow condition is a type of buffer overflow, where a heap portion of memory could be overwritten with the content exceeding a buffer. Usually,
“Specific crafted requests may cause a heap-based buffer overflow. Further on this could crash the web server, lead to a denial-of-service condition or may be utilized for remote code execution.” reads the advisory published by CODESYS.
“Specific crafted requests may cause a heap-based buffer overflow. Further on this could crash the web server, lead to a denial-of-service condition or may be utilized for remote code execution. As the
The issue resides in the CmpWebServerHandlerV3.dll (file version 18.104.22.168) library that doesn’t properly validate user-supplied data sent to the web server URL endpoint.
“A heap overflow vulnerability exists in CmpWebServerHandlerV3.dll (file version 22.214.171.124) due to improper validation of user-supplied data sent to the CODESYS V3 web server URL endpoint /WebVisuV3.” reads the analysis published by Tenable.
“The flaw is due to the fact that the MemGCGetSize function adds 0x5c bytes to the requested allocation size during memory allocation operation”
An attacker could exploit the flaw by requesting a very large memory allocation size via a WEB_CLIENT_OPENCONNECTION message sent to the CmpWebServerHandlerV3 component.
“The CmpWebServerHandlerV3 component (when in state 0) attempts to allocate -1 (0xffffffff) bytes for the communication buffer. When the SysMemAllocData function is called, the memory allocation size gets overflowed and a small (0xffffffff + 0x5c = 0x5b) heap buffer is actually allocated.”
The experts also published a PoC exploit code that can be used to terminate a 32-bit CODESYSControlService.exe.
The flaw affects all versions of CODESYS V3 runtime systems containing the web server prior V126.96.36.199, a fix is included in version V188.8.131.52.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.