Share: Email | Twitter

ID

VDE-2023-063

Published

2024-01-30 08:00 (CET)

Last update

2024-01-25 12:05 (CET)

Vendor(s)

Festo SE & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
3473128 Control block CPX-CEC-C1-V3 (HW <= 8) <= 4.0.4
3472765 Control block CPX-CEC-M1-V3 (HW <= 8) <= 4.0.4
3472425 Control block CPX-CEC-S1-V3 (HW <= 8) <= 4.0.4
4252742 Control block CPX-E-CEC-C1-EP (HW < 8) 2.2.14
4252742 Control block CPX-E-CEC-C1-EP (HW >= 8) 3.2.10
5226780 Control block CPX-E-CEC-C1 (HW <= 5) <= 10.1.4
4252741 Control block CPX-E-CEC-C1-PN (HW < 8) 2.2.14
4252741 Control block CPX-E-CEC-C1-PN (HW >= 8) 3.2.10
4252744 Control block CPX-E-CEC-M1-EP (HW < 8) 2.2.14
4252744 Control block CPX-E-CEC-M1-EP (HW >= 8) 3.2.10
5266781 Control block CPX-E-CEC-M1 (HW <= 5) <= 10.1.4
4252743 Control block CPX-E-CEC-M1-PN (HW < 8) 2.2.14
4252743 Control block CPX-E-CEC-M1-PN (HW >= 8) 3.2.10
8072995 Controller CECC-D-BA (HW <=7) <= 2.4.2
2463301 Controller CECC-D-CS (HW <=7) <= 2.4.2
574415 Controller CECC-D (HW <= 7) <= 2.4.2
574418 Controller CECC-LK (HW <= 7) <= 2.4.2
574416 Controller CECC-S (HW <= 7) <= 2.4.2
4407603 Controller CECC-X-M1 (Gen3) <= 3.8.18
8124922 Controller CECC-X-M1 (Gen4) <= 4.0.18
4407605 Controller CECC-X-M1-MV (Gen3) <= 3.8.18
8124923 Controller CECC-X-M1-MV (Gen4) <= 4.0.18
4407606 Controller CECC-X-M1-MV-S1 (Gen3) <= 3.8.18
8124924 Controller CECC-X-M1-MV-S1 (Gen4) <= 4.0.18
574412 Operator unit CDPX-X-A-S-10 <= 3.5.7.159
574413 Operator unit CDPX-X-A-W-13 <= 3.5.7.159
574410 Operator unit CDPX-X-A-W-4 <= 3.5.7.159
574411 Operator unit CDPX-X-A-W-7 <= 3.5.7.159
8155217 Operator unit CDPX-X-E1-W-10 <= 3.5.7.159
8155218 Operator unit CDPX-X-E1-W-15 <= 3.5.7.159
8155216 Operator unit CDPX-X-E1-W-7 <= 3.5.7.159

Summary

Several high severity vulnerabilities in CODESYS V3 affecting Festo products could lead to Remote Code Execution or Denial of Service.

Vulnerabilities



Last Update
27. Juli 2023 14:27
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
27. Juli 2023 14:27
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated, remote attacker may use a out-of-bounds write vulnerability in multiple CODESYS products in multiple versions to write data into memory which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
27. Juli 2023 14:27
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated remote attacker may use a stack based  out-of-bounds write vulnerability in multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
27. Juli 2023 14:27
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
27. Juli 2023 14:27
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
27. Juli 2023 14:27
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
27. Juli 2023 14:27
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
27. Juli 2023 14:27
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
27. Juli 2023 14:27
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpAppForce Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
27. Juli 2023 14:27
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
27. Juli 2023 14:27
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
27. Juli 2023 14:27
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
27. Juli 2023 14:27
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple CODESYS products in multiple versions an unauthorized, remote attacker may use a improper input validation vulnerability to read from invalid addresses leading to a denial of service.

Last Update
27. Juli 2023 14:27
Weakness
Improper Input Validation (CWE-20)
Summary

An authenticated, remote attacker may use a improper input validation vulnerability in the CmpApp/CmpAppBP/CmpAppForce Components of multiple CODESYS products in multiple versions to read from an invalid address which can lead to a denial-of-service condition.

Last Update
27. Juli 2023 14:27
Weakness
Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
Summary

An authenticated, remote attacker may use a Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple versions of multiple CODESYS products to force a denial-of-service situation.

Last Update
27. Juli 2023 14:27
Weakness
Improper Input Validation (CWE-20)
Summary

Multiple CODESYS products in multiple versions are prone to a improper input validation vulnerability. An authenticated remote attacker may craft specific requests that use the vulnerability leading to a denial-of-service condition.

Impact

Please check the references in the CVEs.

Solution

Mitigation

As part of a security strategy, Festo recommends the following general defense measures to reduce the risk of exploits:

  • Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
  • Use firewalls to protect and separate the control system network from other networks
  • Use VPN (Virtual Private Networks) tunnels if remote access is required
  • Activate and apply user management and password features
  • Use encrypted communication links
  • Limit the access to both development and control system by physical means, operating system features, etc.
  • Protect both development and control system by using up to date virus detecting solutions

Festo strongly recommends to minimize and protect network access to connected devices with state of the art techniques and processes.
For a secure operation follow the recommendations in the product manuals.

Remediation

For all vulnerability identifiers except CECC-D, CECC-D-CS, CECC-D-BA, CECC-S, CECC-X Gen3 and CECC-LK: Update planned end of Q3 2024.

Reported by

CERT@VDE coordinated with Festo