CODESYS has released security patches to fix eleven 11 vulnerabilities in its ICS Automation Software. CoDeSys is a development environment for programming controller applications according to the international industrial standard IEC 61131-3. The main product of the software suite is the CODESYS Development System, an IEC 61131-3 tool.
An attacker could exploit the flaw to trigger a denial-of-service (DoS) condition, disclose information, execute arbitrary code, and conduct other malicious activities. Two of these vulnerabilities, tracked as CVE-2022-31805 and CVE-2022-31806, have been rated critical (CVSS scores: 9.8), 7 as high risk, and 2 as medium risk.
The vulnerabilities were discovered as part of in-depth research on CODESYS V2 runtime and PLCs using this kernel (ABB AC500 PLCs).
“These vulnerabilities are simple to exploit, and they can be successfully exploited to cause consequences such as sensitive information leakage, PLCs entering a severe fault state, and arbitrary code execution. In combination with industrial scenarios on field, these vulnerabilities could expose industrial production to stagnation, equipment damage, etc.” reads the advisory published by Chinese cybersecurity firm NSFOCUS said. ” “CodeSys has published an official security advisory that has fixed the mentioned vulnerabilities. However, many vendors who use CODESYS V2 runtime have not yet updated in time, in which case factories using these affected products are still in serious risk.”
The Chinese researchers who discovered the vulnerabilities pointed out that CODESYS V2 Runtime is used by many manufacturers, and most of these manufacturers still use outdated versions. The vulnerabilities affect a large number of manufacturers using a version of CODESYS V2 Runtime older than V220.127.116.11.
The products described below may be affected by the vulnerabilities and require security enhancements.
The timeline of the issues is:
Below is the list of protection and recommendations recommended by the researchers:
In a separate advisory published on June 23, CODESYS said it also remediated three other flaws in CODESYS Gateway Server (CVE-2022-31802, CVE-2022-31803, and CVE-2022-31804) that could be leveraged to send crafted requests to bypass authentication and crash the server.
(SecurityAffairs – hacking, Codesys ICS Automation Software)