| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| WAGO-I/O-PRO | Engineering Software | <= 2.3.9.68 |
| 750-331 | Ethernet Controller 3rd Generation | <= 01.04.16(14) |
| 750-829 | Ethernet Controller 3rd Generation | <= 01.04.16(14) |
| 750-831/xxx-xxx | Ethernet Controller 3rd Generation | <= 01.04.16(14) |
| 750-852 | Ethernet Controller 3rd Generation | <= 01.09.25(16) |
| 750-881 | Ethernet Controller 3rd Generation | <= 01.09.25(16) |
| 750-882 | Ethernet Controller 3rd Generation | <= 01.08.25(16) |
| 750-885/xxx-xxx | Ethernet Controller 3rd Generation | <= 01.07.25(16) |
| 750-889 | Ethernet Controller 3rd Generation | <= 01.03.25(16) |
| 750-880/xxx-xxx | Ethernet Controller 3rd Generation | <= 01.08.25(16) |
| 750-823 | Ethernet Controller 4th Generation | <= 01.05.04(10) |
| 750-332 | Ethernet Controller 4th Generation | <= 01.02.16(06) |
| 750-832/xxx-xxx | Ethernet Controller 4th Generation | <= 01.02.16(06) |
| 750-862 | Ethernet Controller 4th Generation | <= 01.05.04(10) |
| 750-890/xxx-xxx | Ethernet Controller 4th Generation | <= 01.05.04(10) |
| 750-891 | Ethernet Controller 4th Generation | <= 01.05.04(10) |
| 750-893 | Ethernet Controller 4th Generation | <= 01.05.04(10) |
| 750-8202/xxx-xxx | PFC200 | <= 03.10.08(22) |
| 750-8203/xxx-xxx | PFC200 | <= 03.10.08(22) |
| 750-8204/xxx-xxx | PFC200 | <= 03.10.08(22) |
| 750-8206/xxx-xxx | PFC200 | <= 03.10.08(22) |
| 750-8207/xxx-xxx | PFC200 | <= 03.10.08(22) |
| 750-8208/xxx-xxx | PFC200 | <= 03.10.08(22) |
| 750-8210/xxx-xxx | PFC200 | <= 03.10.08(22) |
| 750-8211/xxx-xxx | PFC200 | <= 03.10.08(22) |
| 750-8212/xxx-xxx | PFC200 | <= 03.10.08(22) |
| 750-8213/xxx-xxx | PFC200 | <= 03.10.08(22) |
| 750-8214/xxx-xxx | PFC200 | <= 03.10.08(22) |
| 750-8216/xxx-xxx | PFC200 | <= 03.10.08(22) |
| 750-8217/xxx-xxx | PFC200 | <= 03.10.08(22) |
UPDATE A: Solution has updated release dates
UPDATE B: Solution has updated release dates
This Advisory is published with reference to:
In CODESYS V2 PLCWinNT and Runtime Toolkit 32 in versions prior to V2.4.7.57 password protection is not enabled by default and there is no information or prompt to enable password protection at login in case no password is set at the controller.
In CODESYS Gateway Server V2 for versions prior to V2.3.9.38 only a part of the the specified password is been compared to the real CODESYS Gateway password. An attacker may perform authentication by specifying a small password that matches the corresponding part of the longer real CODESYS Gateway password.
In multiple CODESYS products, a low privileged remote attacker may craft a request, which may cause a heap-based buffer overflow, resulting in a denial-of-service condition or memory overwrite. User interaction is not required.
In multiple CODESYS products, file download and upload function allows access to internal files in the working directory e.g. firmware files of the PLC. All requests are processed on the controller only if no level 1 password is configured on the controller or if remote attacker has previously successfully authenticated himself to the controller. A successful Attack may lead to a denial of service, change of local files, or drain of confidential Information. User interaction is not required
In multiple CODESYS products, a remote attacker may craft a request which may cause an unexpected sign extension, resulting in a denial-of-service condition or memory overwrite.
Multiple CODESYS Products are prone to a out-of bounds read or write access. A low privileged remote attacker may craft a request with invalid offset, which can cause an out-of-bounds read or write access, resulting in denial-of-service condition or local memory overwrite, which can lead to a change of local files. User interaction is not required.
Multiple products of CODESYS implement a improper error handling. A low privilege remote attacker may craft a request, which is not properly processed by the error handling. In consequence, the file referenced by the request could be deleted. User interaction is not required.
The CODESYS Gateway Server V2 does not verifiy that the size of a request is within expected limits. An unauthenticated attacker may allocate an arbitrary amount of memory, which may lead to a crash of the Gateway due to an out-of-memory condition.
In the CODESYS Development System multiple components in multiple versions transmit the passwords for the communication between clients and servers unprotected.
In multiple CODESYS products, a low privileged remote attacker may craft a request, which cause an out-of-bounds read, resulting in a denial-of-service condition. User Interaction is not required.
Multiple CODESYS products are affected to a buffer overflow.A low privileged remote attacker may craft a request, which can cause a buffer copy without checking the size of the service, resulting in a denial-of-service condition. User Interaction is not required.
Multiple CODESYS Products are prone to a buffer over read. A low privileged remote attacker may craft a request with an invalid offset, which can cause an internal buffer over-read, resulting in a denial-of-service condition. User interaction is not required.
In multiple CODESYS products, a low privileged remote attacker may craft a request that cause a read access to an uninitialized pointer, resulting in a denial-of-service. User interaction is not required.
In CODESYS Gateway Server V2 an insufficient check for the activity of TCP client connections allows an unauthenticated attacker to consume all available TCP connections and prevent legitimate users or clients from establishing a new connection to the CODESYS Gateway Server V2. Existing connections are not affected and therefore remain intact.
From vulnerabilities CVE-2022-1965, CVE-2022-32136, CVE-2022-32137, CVE-2022-32138, CVE-2022-32139, CVE-2022-32140, CVE-2022-32141, CVE-2022-32142, CVE-2022-32143 (CODESYS Advisory 2022-11):
By crafting special packets / requests a low skilled attacker can exploit the vulnerabilities. This can lead to denial-of-service conditions or deleting files.
From vulnerabilities CVE-2022-31805, CVE-2022-31806 (CODESYS Advisory 2022-12):
A low skilled attacker is able to gather insufficiently protected credentials having access to the communication between client and server.
From vulnerabilities CVE-2022-31802, CVE-2022-31803, CVE-2022-31804 (CODESYS Advisory 2022-13):
An attacker with low skills is able to gather insufficiently protected credentials having local access or access to the online communication traffic
Mitigation
For vulnerabilities CVE-2022-1965, CVE-2022-32136, CVE-2022-32137, CVE-2022-32138, CVE-2022-32139, CVE-2022-32140, CVE-2022-32141, CVE-2022-32142, CVE-2022-32143 (CODESYS Advisory 2022-11):
• Activation of online user management, to prevent unallowed actions from unauthorized attackers
• Setting strong passwords
• Use e!Runtime or CODESYS V3
For vulnerabilities CVE-2022-31805, CVE-2022-31806 (CODESYS Advisory 2022-12):
Activation of online user management, to prevent unallowed actions from unauthorized attackers
Use encryption of online communication whenever possible, this protects password transmission.
General mitigation recommendations by CODESYS GmbH to reduce the risk of exploits:
Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
Use firewalls to protect and separate the control system network from other networks
Use VPN (Virtual Private Networks) tunnels if remote access is required
Activate and apply user management and password features
Use encrypted communication links
Limit the access to both development and control system by physical means, operating system features, etc.
Protect both development and control system by using up to date virus detecting solutions
For further impact information and risk mitigation, please refer to the official CODESYS Advisory Website at
www.codesys.com/security/security-reports.html
Solution
WAGO recommends that all affected users with WAGO I/O-PRO/CODESYS 2.3 PLCs update to the firmware and use the latest version of WAGO I/O-Pro as soon as it is available.
Until the updates are available, we recommend switching off the CODESYS IP port 2455 after commissioning or, if this not possible, use a strong admin password.
| Ord. No. | Firmware | |
| PFC200 Family | ||
| 750-8202/xxx-xxx | UPDATE B: Available in Q1 2024 |
|
| 750-8203/xxx-xxx | ||
| 750-8204/xxx-xxx | ||
| 750-8206/xxx-xxx | ||
| 750-8207/xxx-xxx | ||
| 750-8208/xxx-xxx | ||
| 750-8210/xxx-xxx | ||
| 750-8211/xxx-xxx | ||
| 750-8212/xxx-xxx | ||
| 750-8213/xxx-xxx | ||
| 750-8214/xxx-xxx | ||
| 750-8216/xxx-xxx | ||
| 750-8217/xxx-xxx | ||
| Ethernet Controller 4th Generation Family UPDATE B | ||
| 750-823 | FW11 | |
| 750-332 | FW11 after BACnet Certification | |
| 750-832/xxx-xxx | FW11 after BACnet Certification | |
| 750-862 | FW11 | |
| 750-890/xxx-xxx | FW11 | |
| 750-891 | FW11 | |
| 750-893 | FW11 | |
| Ethernet Controller 3rd Generation Family UPDATE B | ||
| 750-331 | Available in Q3 2023 | |
| 750-829 | FW17 | |
| 750-831/xxx-xxx | Discontinued no fix | |
| 750-852 | FW17 | |
| 750-880/xxx-xxx | FW17 | |
| 750-881 | FW17 | |
| 750-882 | FW17 | |
| 750-885/xxx-xxx | FW17 | |
| 750-889 | FW17 | |
| Engineering Software | ||
| WAGO-I/O-PRO 32 | UPDATE B: 2.3.9.70 |
|
CERT@VDE coordinated with WAGO