Two critical flaws affect CODESYS ICS Automation Software

CODESYS addressed 11 security flaws in the ICS Automation Software that could lead to information disclosure and trigger a denial-of-service (DoS) condition.

CODESYS has released security patches to fix eleven 11 vulnerabilities in its ICS Automation Software. CoDeSys is a development environment for programming controller applications according to the international industrial standard IEC 61131-3. The main product of the software suite is the CODESYS Development System, an IEC 61131-3 tool.

An attacker could exploit the flaw to trigger a denial-of-service (DoS) condition, disclose information, execute arbitrary code, and conduct other malicious activities. Two of these vulnerabilities, tracked as CVE-2022-31805 and CVE-2022-31806, have been rated critical (CVSS scores: 9.8), 7 as high risk, and 2 as medium risk.

The vulnerabilities were discovered as part of in-depth research on CODESYS V2 runtime and PLCs using this kernel (ABB AC500 PLCs).

“These vulnerabilities are simple to exploit, and they can be successfully exploited to cause consequences such as sensitive information leakage, PLCs entering a severe fault state, and arbitrary code execution. In combination with industrial scenarios on field, these vulnerabilities could expose industrial production to stagnation, equipment damage, etc.” reads the advisory published by Chinese cybersecurity firm NSFOCUS said. ” “CodeSys has published an official security advisory that has fixed the mentioned vulnerabilities. However, many vendors who use CODESYS V2 runtime have not yet updated in time, in which case factories using these affected products are still in serious risk.”

The Chinese researchers who discovered the vulnerabilities pointed out that CODESYS V2 Runtime is used by many manufacturers, and most of these manufacturers still use outdated versions. The vulnerabilities affect a large number of manufacturers using a version of CODESYS V2 Runtime older than V2.4.7.57.

The products described below may be affected by the vulnerabilities and require security enhancements.

ABB AC500 controller
WAGO 750/PFC200 controller
FESTO FEC&ECCC controller
EATON XV&XV controller
Bosh Rexroth IndraMotion/IndraLogic controller
EXOR eTop400/500/600 controller
KINCO F122 CAN BUS controller
KEBA CPxxx controller
Bachmann M1 controller

The timeline of the issues is:

On September 15, 2021 ，Started research on ABB AC series PLC & CODESYS V2 runtime
On September 29, 2021, 3 vulnerabilities about CODESYS V2 runtime were submitted to codesys On October 25, 2021, codesys published a security advisory and a latest version of CODESYS V2 runtime 2.4.7.56
On November 4, 2021, 6 vulnerabilities in the latest version were submitted again to the codesys
On December 8, 2021, codesys officially expect to release the fixes and associated advisories in March/April 2022.
On January 14, 2022, we submitted 12 vulnerabilities in AC500 PLC to ABB
On May 24, 2022, codesys officially confirmed the vulnerability and assigned CVE IDs
On June 23, 2022, codesys published a security advisory anda latest version of CODESYS V2 runtime 2.4.7.57, which fixes multiple vulnerabilities that I submitted.

Below is the list of protection and recommendations recommended by the researchers:

locate the affected products behind the security protection devices and perform a defense-in-depth strategy for network security.
Try using secure VPN networks when remote access is required, and perform adequate access control and auditing.
Pay attention to vendor’s security updates, and upgrade the affected products after testing to keep them secure from threats.
Minimize the exposure of private communication ports of the affected devices and selectively close the affected ports such as 1200/1201/2455 according to service scenarios.
recommending vendors who use CODESYS V2 Runtime to investigate themselves in time, and actively to fix and release the patched version of firmware.

In a separate advisory published on June 23, CODESYS said it also remediated three other flaws in CODESYS Gateway Server (CVE-2022-31802, CVE-2022-31803, and CVE-2022-31804) that could be leveraged to send crafted requests to bypass authentication and crash the server.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Codesys ICS Automation Software)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.