Recently, CODESYS officially issued four security update advisories that fixed 10 vulnerabilities in CODESYS V2. NSFOCUS received a letter of acknowledgement from CODESYS for NSFOCUS Gewu Lab’s reporting of three vulnerabilities that were rated high-risk. All of the three vulnerabilities are exploited for attacks via private communication protocols supported by CODESYS runtime. By using these vulnerabilities, attackers may cause a denial of service or downtime, or even enable the target to execute the maliciously compiled exploit code to produce an adverse impact on production, stay detected, steal sensitive data, and launch targeted attacks.
CVE-2021-30188 (CVSS3.0 Score: 8.8): CWE-121: Stack-based Buffer Overflow
By sending a specially-crafted request to the affected CODESYS products, attackers could cause a denial of service or remote code execution on the target.
CVE-2021-34595 (CVSS3.0 Score: 8.1): CWE-823: Use of Out-of-range Pointer Offset
By sending a specially-crafted request to the affected CODESYS products, attackers may cause a denial of service or local memory overwrite via out-of-bounds read or write.
CVE-2021-34596 (CVSS3.0 Score: 8.1): CWE-824: Access of Uninitialized Pointer
By sending a specially-crafted request to the affected CODESYS products, attackers may cause a denial of service via access to an uninitialized pointer. CODESYS is a manufacturer-independent IEC 61131-1 programming software and ICS device core (runtime SDK), released by the 3S-Smart Software Solutions Company in Germany, the world’s most renowned soft PLC kernel software R&D manufacturer. As a standard hardware-independent runtime supported by many hardware vendors, CODESYS is compatible with programing environments compliant with the full version of IEC61131 and also supports six programing languages. Besides, CODESY complements portfolio products such as bus configuration programs and motion control systems in different fields. CODESYS runtime supports the following hardware platforms:
Reference link: https://www.codesys.com/security/security-reports.html
Scope of Impact
- CODESYS Runtime Toolkit 32 bit < V126.96.36.199
- CODESYS PLCWinNT < V188.8.131.52
Note: Besides CODESYS software products, these vulnerabilities affect industrial control manufacturers using CODESYS runtime kernel. Acting like Android in the ICS industry, CODESYS is widely used in ICS devices. According to official statistics, CODESYS, with a market share of 35%, is adopted by more than 500 well-known enterprises, including ABB, Schneider Electric, Festo, Eaton Electric, Bosch Rexroth, Beckhoff, Advantech, ADLINK, Hollysys, INOVANCE, INVT, Wuhan Huazhong Numerical Control and GOOGOL TECHNOLOGY.
Currently, the preceding vulnerabilities have been fixed in the firmware version. The ICS manufacturers using the CODESYS runtime should check and upgrade your installation as soon as possible by downloading the update from https://www.codesys.com/download
Other Protection Measures
- Deploy the affected products behind the security protection device that must provide defense-in-depth measures to protect network security.
- When remote access is required, use the secure VPN network whenever possible and perform access audit.
- Pay attention to the security patches of the affected manufacturers and upgrade the affected products after the testing to protect them from threats.
- Minimize the risk of exposure of private communication ports of the affected device and choose to close ports such as 1200/1201/2455 according to actual business scenarios.
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.