Microsoft Threat Intelligence researchers discovered 16 high-severity vulnerabilities, collectively tracked as CoDe16, in the CODESYS V3 software development kit (SDK). An attacker can trigger the flaw to gain remote code execution and conduct denial-of-service attacks under specific conditions, exposing operational technology (OT) environments to hacking.
The CVE-2022-47391 received a severity rating of 7.5, while the remaining ones received a CVSS score of 8.8.
“Exploitation of the discovered vulnerabilities, which affect all versions of CODESYS V3 prior to version 22.214.171.124, could put operational technology (OT) infrastructure at risk of attacks, such as remote code execution (RCE) and denial of service (DoS).” reads the advisory published by Microsoft. “The discovery of these vulnerabilities highlights the critical importance of ensuring the security of industrial control systems and underscores the need for continuous monitoring and protection of these environments.”
The researchers explained that an attacker can carry out a DoS attack against a device using a vulnerable version of CODESYS to shut down a power plant. The exploitation of remote code execution issue could allow attackers to set up a backdoor for devices and taking over them. The experts pointed out that the exploiting the vulnerabilities requires user authentication, as well as deep knowledge of the proprietary protocol of CODESYS V3 and the structure of the different services that the protocol uses.
“We were able to apply 12 of the buffer overflow vulnerabilities to gain RCE of PLCs. Exploiting the vulnerabilities requires user authentication as well as bypassing the Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) used by both the PLCs. To overcome the user authentication, we used a known vulnerability, CVE-2019-9013, which allows us to perform a replay attack against the PLC using the unsecured username and password’s hash that were sent during the sign-in process, allowing us to bypass the user authentication process.” continues the report.
The researchers also shared a video PoC of an attack to bypass the ASLR.
Below are the recommendations provided by Microsoft:
Codesys published an advisory for these flaws, the document is available here.
(SecurityAffairs – hacking, OT)