Share: Email | Twitter

ID

VDE-2021-056

Published

2021-11-16 15:11 (CET)

Last update

2021-11-24 09:48 (CET)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
750-8202/xxx-xxx <= 03.07.14 (19)
750-8203/xxx-xxx <= 03.07.14 (19)
750-8204/xxx-xxx <= 03.07.14 (19)
750-8206/xxx-xxx <= 03.07.14 (19)
750-8207/xxx-xxx <= 03.07.14 (19)
750-8208/xxx-xxx <= 03.07.14 (19)
750-8210/xxx-xxx <= 03.07.14 (19)
750-8211/xxx-xxx <= 03.07.14 (19)
750-8212/xxx-xxx <= 03.07.14 (19)
750-8213/xxx-xxx <= 03.07.14 (19)
750-8214/xxx-xxx <= 03.07.14 (19)
750-8216/xxx-xxx <= 03.07.14 (19)
750-8217/xxx-xxx <= 03.07.14 (19)
750-823 <= FW09
750-829 <= FW16
750-831/000-00x <= FW14
750-832/000-00x <= FW09
750-852 <= FW16
750-862 <= FW09
750-880/0xx-xxx <= FW16
750-881 <= FW16
750-882 <= FW16
750-885/0xx-xxx <= FW16
750-889 <= FW16
750-890/0xx-xxx <= FW09
750-891 <= FW09
750-893 <= FW09

Summary

Multiple vulnerabilities were reported in CODESYS 2.3 Runtime. The CODESYS 2.3 Runtime is an essential component in several WAGO PLCs. All vulnerable PLCs are listed in chapter ‘Affected Products’.
https://www.codesys.com/security/security-reports.html

Vulnerabilities



CVE-2021-34584
9.1
Last Update
15. November 2021 17:02
Severity
9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
Weakness
Buffer Over-read (CWE-126)
Summary

Crafted web server requests can be utilised to read partial stack or heap memory or may trigger a denial-of- service condition due to a crash in the CODESYS V2 web server prior to V1.1.9.22.

Details
nvd.nist.gov 
CVE-2021-34595
8.1
Last Update
15. Februar 2022 07:33
Severity
8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)
Weakness
Use of Out-of-range Pointer Offset (CWE-823)
Summary

A crafted request with invalid offsets may cause an out-of-bounds read or write access in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service condition or local memory overwrite.

Details
nvd.nist.gov 
CVE-2021-34583
7.5
Last Update
15. November 2021 17:02
Severity
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness
Heap-based Buffer Overflow (CWE-122)
Summary

Crafted web server requests may cause a heap-based buffer overflow and could therefore trigger a denial-of- service condition due to a crash in the CODESYS V2 web server prior to V1.1.9.22.

Details
nvd.nist.gov 
CVE-2021-34585
7.5
Last Update
17. November 2022 13:09
Severity
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness
Unchecked Return Value (CWE-252)
Summary

In the CODESYS V2 web server prior to V1.1.9.22 crafted web server requests can trigger a parser error. Since the parser result is not checked under all conditions, a pointer dereference with an invalid address can occur. This leads to a denial of service situation.

Details
nvd.nist.gov 
CVE-2021-34586
7.5
Last Update
15. November 2021 17:02
Severity
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness
NULL Pointer Dereference (CWE-476)
Summary

In the CODESYS V2 web server prior to V1.1.9.22 crafted web server requests may cause a Null pointer dereference in the CODESYS web server and may result in a denial-of-service condition.

Details
nvd.nist.gov 
CVE-2021-34596
6.5
Last Update
15. Februar 2022 07:33
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Weakness
Access of Uninitialized Pointer (CWE-824)
Summary

A crafted request may cause a read access to an uninitialized pointer in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service condition.

Details
nvd.nist.gov 

Impact

The reported vulnerabilities allow an attacker who has access to the device and is able to exploit the vulnerabilities, to manipulate and disrupt the CODESYS 2.3 Runtime or WebVisualisation.

Solution

UPDATE A: fixed Firmware versions for 750-890/0xx-xxx, 750-891 and 750-893
We recommend all effected users with CODESYS 2.3 Runtime PLCs to update to the firmware version listed below.

Series Ethernet Controller

Article Number Fixed Firmware
Versions		 Available
750-823 >=FW10 January 2022
750-829 >=FW17 After BACnet certification
750-831/000-00x >=FW17 After BACnet certification
750-832/000-00x >=FW10 After BACnet certification
750-852 >=FW17 Q1 2022
750-862 >=FW10 January 2022
750-880/0xx-xxx >=FW17 Q1 2022
750-881 >=FW17 Q1 2022
750-882 >=FW17 Q1 2022
750-885/0xx-xxx >=FW17 Q1 2022
750-889 >=FW17 Q1 2022
750-890/0xx-xxx >=FW10 January 2022
750-891 January 2022
750-893 January 2022

PFC200 Controller

Article Number Affected Firmware
Versions		 Approx.
Available
750-8202/xxx-xxx >=FW20 January 2022
750-8203/xxx-xxx
750-8204/xxx-xxx
750-8206/xxx-xxx
750-8207/xxx-xxx
750-8208/xxx-xxx
750-8210/xxx-xxx
750-8211/xxx-xxx
750-8212/xxx-xxx
750-8213/xxx-xxx
750-8214/xxx-xxx
750-8216/xxx-xxx
750-8217/xxx-xxx

Mitigation

  1. Use general security best practices to protect systems from local and network attacks.
  2. Do not allow direct access to the device from untrusted networks.
  3. Update to the latest firmware according to the table in chapter solutions.
  4. Disable the CODESYS 2.3 WebVisualisation and CODESYS 2.3 port 2455.

For further impact information and risk mitigation, please refer to the official CODESYS Advisory Website at https://www.codesys.com/security/security-reports.html

Reported by

These vulnerabilities were reported by

  • CVE-2021-34583, -34584, -34585, -34586 by Tenable Research
  • CVE-2021-34595 by Chen Jie and Gao Jian of NSFOCUS
  • CVE-2021-34596 by Gao Jian of NSFOCUS

Coordination done by CERT@VDE.