| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| CODESYS Edge Gateway | < 3.5.21.0 | |
| CODESYS Gateway for Windows | < 3.5.21.0 |
The CODESYS Gateway enables communication between CODESYS runtimes and other clients, primarily the CODESYS Development System V3. It is usually installed as a part of the CODESYS Development System V3 setup and accessed locally by the CODESYS Development System. Due to an insecure standard configuration of the CODESYS Gateway, it is not only accessible locally, but also remotely by default.
An unauthenticated remote attacker can gain limited information of the PLC network but the user management of the PLCs prevents the actual access to the PLCs.
The CODESYS Gateway serves as a communication channel for various clients to CODESYS runtimes. By default, the CODESYS Gateway listens on all available network adapters on port 1217 and can therefore be accessed remotely. However, remote access to the CODESYS Gateway is only required in certain network configurations. Since the CODESYS Gateway is usually accessed locally, many users are unaware of this remote access option, which can enable scanning of and access to restricted PLC networks. Unauthenticated attackers can therefore search for PLCs, but the user management of the PLCs prevents the actual access to the PLCs – unless it is disabled.
Please note that the CODESYS (Edge) Gateway for Windows can be installed as a separate setup or as part of other setups such as the CODESYS Development System V3 setup or the CODESYS OPC DA Server setup.
Mitigation
There are two possibilities to mitigate the vulnerability in CODESYS (Edge) Gateways with versions before 3.5.21.0:
Check the "LocalAddress" setting in the [CmpGwCommDrvTcp] section of the gateway's configuration file as follows:
[CmpGwCommDrvTcp]
LocalAddress=127.0.0.1 ; allow access only from the local computer
;LocalAddress=192.168.1.1 ; IP address (of any adapter) to be listened to - access is only allowed via this address
;LocalAddress=0.0.0.0 ; allow access from any remote machine
To reset the Microsoft Windows firewall rule, you must first uninstall the setup that was originally used to install the affected CODESYS Gateway. Beside the standalone gateway setup, this can be one of the following setups:
• CODESYS Development System V3
• CODESYS Control Win (SL)
• CODESYS HMI
• CODESYS OPC DA Server SL
Afterward, perform the custom steps in the setup and ensure that the "CODESYS Gateway" is unchecked in the "Firewall Settings" screen.
Remediation
Update the following products to version 3.5.21.0.
• CODESYS Edge Gateway for Windows
• CODESYS Gateway for Windows
Please note that a new version of the CODESYS (Edge) Gateway for Windows can be installed either with the corresponding standalone setup or as part of the setups of the following other CODESYS products:
• CODESYS Development System V3
• CODESYS Control Win (SL)
• CODESYS HMI
• CODESYS OPC DA Server SL
To ensure that all firewall rules are reset, we recommend uninstalling the previously mentioned setups that installed an affected gateway.
Compatibility notes: By default, all 3.5.21.0 setups that install a CODESYS (Edge) gateway configure the CODESYS gateway to only allow local client access and do not add a Microsoft Windows firewall rule for CODESYS gateways V3 and V2.3. However, if remote access is required, you can follow the custom steps in the setup and select the “Allow remote access” checkbox. In addition, remote access can be enabled for specific IP addresses by changing the “LocalAddress” setting in the [CmpGwCommDrvTcp] section in the Gateway.ini file:
[CmpGwCommDrvTcp]
LocalAddress=127.0.0.1 ; allow access only from the local computer
;LocalAddress=192.168.1.1 ; IP address (of any adapter) to be listened to - access is only allowed via this address
;LocalAddress=0.0.0.0 ; allow access from any remote machine
The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download
CERT@VDE coordinated with CODESYS
Reporting: Diego Guibertoni from Nozomi Networks