Share: Email | Twitter

ID

VDE-2021-054

Published

2022-04-26 12:00 (CEST)

Last update

2022-07-05 16:13 (CEST)

Vendor(s)

Pilz GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
680052 Motion controller PMCprimo C all versions
680053 Motion controller PMCprimo C all versions
680054 Motion controller PMCprimo C all versions
680055 Motion controller PMCprimo C all versions
680062 Motion controller PMCprimo C all versions
680063 Motion controller PMCprimo C all versions
680064 Motion controller PMCprimo C all versions
680065 Motion controller PMCprimo C all versions
680162 Motion controller PMCprimo C all versions
680163 Motion controller PMCprimo C all versions
680164 Motion controller PMCprimo C all versions
680165 Motion controller PMCprimo C all versions
680172 Motion controller PMCprimo C all versions
680173 Motion controller PMCprimo C all versions
680174 Motion controller PMCprimo C all versions
680175 Motion controller PMCprimo C all versions
680182 Motion controller PMCprimo C2.0 (plug-in card) <= 03.07.00
680183 Motion controller PMCprimo C2.0 (plug-in card) <= 03.07.00
680184 Motion controller PMCprimo C2.0 (plug-in card) <= 03.07.00
680185 Motion controller PMCprimo C2.0 (plug-in card) <= 03.07.00
680192 Motion controller PMCprimo C2.1 (housing version) <= 03.07.00
680192(all versions) Motion controller PMCprimo C2.1 (housing version) <= 03.07.00
680193 Motion controller PMCprimo C2.1 (housing version) <= 03.07.00
680194 Motion controller PMCprimo C2.1 (housing version) <= 03.07.00
680195 Motion controller PMCprimo C2.1 (housing version) <= 03.07.00
680082 Motion controller PMCprimo MC <= 03.07.00
680083 Motion controller PMCprimo MC <= 03.07.00
680084 Motion controller PMCprimo MC <= 03.07.00
680085 Motion controller PMCprimo MC <= 03.07.00
265608 Operator terminal/controller PMI 6 primo all versions
265613 Operator terminal/controller PMI 6 primo all versions
264639 Operator terminal/controller PMI 6 primo all versions

Summary

Several Pilz products use Versions V2 and V3 of the CODESYS runtime system from CODESYS GmbH, which enables the execution of IEC 61131-3 PLC programs. These runtime environments contain several vulnerabilities, which an attacker can exploit via the network. Successful exploitation of the vulnerabilities results in reduced availability and, in a worst case, to the insertion of program code.

Vulnerabilities



Last Update
28. September 2021 09:30
Weakness
Out-of-bounds Write (CWE-787)
Summary

CODESYS V2 runtime system SP before 2.4.7.55 has a Stack-based Buffer Overflow.

Last Update
15. Februar 2022 07:35
Weakness
Insufficient Verification of Data Authenticity (CWE-345)
Summary

An exploitable code execution vulnerability exists in the PLC_Task functionality of 3S-Smart Software Solutions GmbH CODESYS Runtime 3.5.14.30. A specially crafted network request can cause remote code execution. An attacker can send a malicious packet to trigger this vulnerability.

Last Update
15. Februar 2022 09:47
Weakness
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
Summary

An issue was discovered in 3S-Smart CODESYS V3 products. The application may utilize non-TLS based encryption, which results in user credentials being insufficiently protected during transport. All variants of the following CODESYS V3 products in all versions containing the CmpUserMgr component are affected regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (also part of the CODESYS Development System setup), CODESYS V3 Simulation Runtime (part of the CODESYS Development System), CODESYS Control V3 Runtime System Toolkit, CODESYS HMI V3.

Last Update
15. Februar 2022 07:33
Weakness
Use of Out-of-range Pointer Offset (CWE-823)
Summary

A crafted request with invalid offsets may cause an out-of-bounds read or write access in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service condition or local memory overwrite.

Last Update
28. September 2021 09:31
Weakness
Out-of-bounds Write (CWE-787)
Summary

CODESYS V2 runtime system SP before 2.4.7.55 has a Heap-based Buffer Overflow.

Last Update
15. November 2021 17:02
Weakness
Improper Handling of Exceptional Conditions (CWE-755)
Summary

In CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56 unauthenticated crafted invalid requests may result in several denial-of-service conditions. Running PLC programs may be stopped, memory may be leaked, or further communication clients may be blocked from accessing the PLC.

Last Update
28. September 2021 09:30
Weakness
Out-of-bounds Read (CWE-125)
Summary

CODESYS V2 runtime system before 2.4.7.55 has Improper Input Validation.

Last Update
17. November 2022 13:09
Weakness
NULL Pointer Dereference (CWE-476)
Summary
CODESYS Gateway 3 before 3.5.16.70 has a NULL pointer dereference that may result in a denial of service (DoS).
Last Update
8. September 2021 08:50
Weakness
Improper Handling of Exceptional Conditions (CWE-755)
Summary

An issue was discovered in 3S-Smart CODESYS before 3.5.15.0 . Crafted network packets cause the Control Runtime to crash.

Last Update
8. September 2021 08:50
Weakness
Out-of-bounds Write (CWE-787)
Summary

An exploitable memory corruption vulnerability exists in the Name Service Client functionality of 3S-Smart Software Solutions CODESYS GatewayService. A specially crafted packet can cause a large memcpy, resulting in an access violation and termination of the process. An attacker can send a packet to a device running the GatewayService.exe to trigger this vulnerability. All variants of the CODESYS V3 products in all versions prior V3.5.16.10 containing the CmpRouter or CmpRouterEmbedded component are affected, regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PLCnext, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (also part of the CODESYS Development System setup), CODESYS Control V3 Runtime System Toolkit, CODESYS V3 Embedded Target Visu Toolkit, CODESYS V3 Remote Target Visu Toolkit, CODESYS V3 Safety SIL2, CODESYS Edge Gateway V3, CODESYS Gateway V3, CODESYS HMI V3, CODESYS OPC Server V3, CODESYS PLCHandler SDK, CODESYS V3 Simulation Runtime (part of the CODESYS Development System).

Last Update
17. November 2022 13:09
Weakness
NULL Pointer Dereference (CWE-476)
Summary

In CODESYS Gateway V3 before 3.5.17.10, there is a NULL Pointer Dereference. Crafted communication requests may cause a Null pointer dereference in the affected CODESYS products and may result in a denial-of-service condition.

Last Update
8. September 2021 08:49
Weakness
Improper Input Validation (CWE-20)
Summary

CODESYS Control Runtime system before 3.5.17.0 has improper input validation. Attackers can send crafted communication packets to change the router's addressing scheme and may re-route, add, remove or change low level communication packages.

Last Update
15. Februar 2022 07:33
Weakness
Access of Uninitialized Pointer (CWE-824)
Summary

A crafted request may cause a read access to an uninitialized pointer in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service condition.

Last Update
15. Februar 2022 09:51
Weakness
NULL Pointer Dereference (CWE-476)
Summary

3S-Smart CODESYS SP Realtime NT before V2.3.7.28, CODESYS Runtime Toolkit 32 bit full before V2.4.7.54, and CODESYS PLCWinNT before V2.4.7.54 allow a NULL pointer dereference.

Last Update
8. September 2021 08:50
Weakness
Allocation of Resources Without Limits or Throttling (CWE-770)
Summary

CODESYS Control V3, Gateway V3, and HMI V3 before 3.5.15.30 allow uncontrolled memory allocation which can result in a remote denial of service condition.

Last Update
18. Juli 2022 11:13
Severity
-
Weakness
-
Summary

The hashing procedure used to save passwords is inadequate.

Last Update
15. Februar 2022 09:48
Severity
-
Weakness
-
Summary

This vulnerability enables valid user names to be identified.

Last Update
15. Februar 2022 09:46
Severity
-
Weakness
-
Summary

The user password can be changed without having to enter the original password.

Impact

The affected products use the CODESYS runtime environment from CODESYS GmbH. Either Version V2 or V3 is active, depending on the configuration. V3 is activated upon delivery. These runtime environments contain the listed vulnerabilities. Some of the vulnerabilities only affect either version V2 or V3 of the CODESYS runtime environment.

Solution

General countermeasures

  • Use a firewall or comparable measures at network level to protect the devices from unauthorised network communication.
  • Employ user management to restrict online access to authorised persons.

Product-specific countermeasures

  • PMI 6 primo, PMCprimo C: No product-specific countermeasures available, please follow the general countermeasures.
  • PMCprimo C2, PMCprimo MC: Installation of Firmware Version 03.08.00 This update does not resolve the vulnerabilities (CVE-2021-34595, CVE-2021-34596, CVE-2021-34593, CVE-2021-30186, CVE-2021-30188, CVE-2021-30195, CVE-2019-19789) in the CODESYS V2 runtime system. The V2 runtime system is still included for compatibility reasons but is no longer supported by Pilz. Please migrate your application to the V3 runtime system or follow the general countermeasures.

Reported by

Pilz would like to thank CERT@VDE for coordinating publication.