CODESYS Development System - Incorrect Default Permissions

Two local privilege escalation vulnerabilities were identified in the CODESYS Development System. Specifically, the PackageManager and the IPM create temporary directories with insecure default permissions when executed with administrative privileges. This allows low-privileged local users to modify a temporary bootstrap file to force the deployment of arbitrary components, or to exploit a Time-of-Check to Time-of-Use (TOCTOU) race condition to replace digitally verified installation files with malicious ones prior to installation. Both flaws bypass intended security boundaries during the installation of packages or add-ons.

Successful exploitation of these two vulnerabilities allows a low-privileged local attacker to achieve local privilege escalation. Because the installation processes of the PackageManager and the IPM run with elevated administrative privileges, any manipulated bootstrap file will be applied or any installation file will be installed in this high-privilege context. This enables the attacker to install arbitrary files to compromise the underlying operating system.

Update the following product to version 3.5.22.20.
* CODESYS Development System

The CODESYS Development System can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.

CODESYS GmbH thanks the following parties for their efforts:

• CERT@VDE for coordination (see https://www.certvde.com )
• David Ruscheweyh from SEW-EURODRIVE GmbH & Co KG for reporting