Pierluigi Paganini June 28, 2022

CODESYS addressed 11 security flaws in the ICS Automation Software that could lead to information disclosure and trigger a denial-of-service (DoS) condition.

CODESYS has released security patches to fix eleven 11 vulnerabilities in its ICS Automation Software. CoDeSys is a development environment for programming controller applications according to the international industrial standard IEC 61131-3. The main product of the software suite is the CODESYS Development System, an IEC 61131-3 tool.

An attacker could exploit the flaw to trigger a denial-of-service (DoS) condition, disclose information, execute arbitrary code, and conduct other malicious activities. Two of these vulnerabilities, tracked as CVE-2022-31805 and CVE-2022-31806, have been rated critical (CVSS scores: 9.8), 7 as high risk, and 2 as medium risk.

The vulnerabilities were discovered as part of in-depth research on CODESYS V2 runtime and PLCs using this kernel (ABB AC500 PLCs).

“These vulnerabilities are simple to exploit, and they can be successfully exploited to cause consequences such as sensitive information leakage, PLCs entering a severe fault state, and arbitrary code execution. In combination with industrial scenarios on field, these vulnerabilities could expose industrial production to stagnation, equipment damage, etc.” reads the advisory published by Chinese cybersecurity firm NSFOCUS said. ” “CodeSys has published an official security advisory that has fixed the mentioned vulnerabilities. However, many vendors who use CODESYS V2 runtime have not yet updated in time, in which case factories using these affected products are still in serious risk.”

The Chinese researchers who discovered the vulnerabilities pointed out that CODESYS V2 Runtime is used by many manufacturers, and most of these manufacturers still use outdated versions. The vulnerabilities affect a large number of manufacturers using a version of CODESYS V2 Runtime older than V2.4.7.57.

The products described below may be affected by the vulnerabilities and require security enhancements.

• ABB AC500 controller
• WAGO 750/PFC200 controller
• FESTO FEC&ECCC controller
• EATON XV&XV controller
• Bosh Rexroth IndraMotion/IndraLogic controller
• EXOR eTop400/500/600 controller
• KINCO F122 CAN BUS controller
• KEBA CPxxx controller
• Bachmann M1 controller

The timeline of the issues is:

• On September 15, 2021 ，Started research on ABB AC series PLC & CODESYS V2 runtime
• On September 29, 2021, 3 vulnerabilities about CODESYS V2 runtime were submitted to codesys On October 25, 2021, codesys published a security advisory and a latest version of CODESYS V2 runtime 2.4.7.56
• On November 4, 2021, 6 vulnerabilities in the latest version were submitted again to the codesys
• On December 8, 2021, codesys officially expect to release the fixes and associated advisories in March/April 2022.
• On January 14, 2022, we submitted 12 vulnerabilities in AC500 PLC to ABB
• On May 24, 2022, codesys officially confirmed the vulnerability and assigned CVE IDs
• On June 23, 2022, codesys published a security advisory anda latest version of CODESYS V2 runtime 2.4.7.57, which fixes multiple vulnerabilities that I submitted.

Below is the list of protection and recommendations recommended by the researchers:

1. locate the affected products behind the security protection devices and perform a defense-in-depth strategy for network security.
2. Try using secure VPN networks when remote access is required, and perform adequate access control and auditing.
3. Pay attention to vendor’s security updates, and upgrade the affected products after testing to keep them secure from threats.
4. Minimize the exposure of private communication ports of the affected devices and selectively close the affected ports such as 1200/1201/2455 according to service scenarios.
5. recommending vendors who use CODESYS V2 Runtime to investigate themselves in time, and actively to fix and release the patched version of firmware.

In a separate advisory published on June 23, CODESYS said it also remediated three other flaws in CODESYS Gateway Server (CVE-2022-31802, CVE-2022-31803, and CVE-2022-31804) that could be leveraged to send crafted requests to bypass authentication and crash the server.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Codesys ICS Automation Software)

[adrotate banner=”5″]

[adrotate banner=”13″]