Article No° | Product Name | Affected Version(s) |
---|---|---|
CODESYS Control for BeagleBone SL | < 4.16.0.0 | |
CODESYS Control for emPC-A/iMX6 SL | < 4.16.0.0 | |
CODESYS Control for IOT2000 SL | < 4.16.0.0 | |
CODESYS Control for Linux ARM SL | < 4.16.0.0 | |
CODESYS Control for Linux SL | < 4.16.0.0 | |
CODESYS Control for PFC100 SL | < 4.16.0.0 | |
CODESYS Control for PFC200 SL | < 4.16.0.0 | |
CODESYS Control for PLCnext SL | < 4.16.0.0 | |
CODESYS Control for Raspberry Pi SL | < 4.16.0.0 | |
CODESYS Control for WAGO Touch Panels 600 SL | < 4.16.0.0 | |
CODESYS Runtime Toolkit | < 3.5.21.20 | |
CODESYS Virtual Control SL | < 4.16.0.0 |
On certain operating systems (e.g., Linux), default file system permissions may allow read access to the files of the CODESYS Control runtime system for non-administrator users. The documentation provided with the CODESYS Runtime Toolkit does not explicitly address this risk. As a result, products based on the toolkit may unintentionally expose sensitive runtime files to local operating system users with limited privileges.
CODESYS Control runtime system based devices are affected if they provide access to the operating system (e.g., via a local user interface or SSH) and user accounts without administrator rights for this access exist or can be created.
CODESYS Runtime Toolkit-based products may expose sensitive files to local low-privileged operating system users due to default file permissions.
The affected products do not explicitly restrict read permissions for other local operating system users, potentially allowing unauthorized access to sensitive runtime files.
General Recommendation
As part of a security strategy, CODESYS GmbH strongly recommends at least the following best-practice defense measures:
For more information and general recommendations for protecting machines and plants, see also the CODESYS Security Whitepaper here.
Mitigation
If the CODESYS Control runtime system is operated on an operating system with multi-user support, other users may potentially gain access to runtime-related files. Thus, it is essential to configure the storage locations for CODESYS Control runtime files in accordance with the operating system's security best practices. These locations should, by default, restrict access to unauthorized users. If the operating system does not support such access control mechanisms or if implementing them is not feasible, an alternative approach is to explicitly revoke read and write permissions for all non-administrative users on the directories used by the CODESYS Control runtime system.
The following directories must be secured:
Note: Protecting individual files is not sufficient. The entire directories must be secured to ensure that any files created in the future are also protected.
Alternatively, where applicable, all non-administrative user accounts can be removed from the system, and their re-creation should be prevented. Additionally, it is recommended to disable remote access methods that allow file access (e.g., SSH) wherever possible, in order to reduce the overall attack surface.
Best practice recommendations for Linux and QNX Systems:
Remediation
Version 3.5.21.20 of the following product provides an updated CODESYS Control V3 Runtime System Documentation:
In particular, Chapter 5 (Architecture Manual), Section 5.4 (Portings), Subsection 5.4.1 (Security Considerations), Subsection 5.4.1.1 (Operating System Folder Permissions) now provides detailed guidance for device manufacturers on how to address the described security vulnerability. The same information is also included as Mitigation in this advisory.
CODESYS GmbH strongly recommends that this guidance be followed in order to effectively close the security vulnerability on affected devices. Devices are particularly at risk if they offer direct access to the operating system (e.g., via a local user interface or SSH) in combination with the presence or possibility of creating non-administrator user accounts for such access.
Important: Updating the toolkit is not sufficient. For affected customer devices based on the CODESYS Runtime Toolkit the vulnerability needs to be resolved following the instructions in the mentioned documentation.
Update the following products to version 4.16.0.0.
For the updated CODESYS Control SL products, CODESYS GmbH has implemented the necessary measures to address the identified security vulnerability. As a result, access to the runtime directories is now restricted to the Linux user account under which the CODESYS Control runtime is executed. Access is explicitly denied to all other non-administrator users.
Note: Administrator users (e.g., root) may still retain access.
The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.
For the following product no fix is available.
Since there is no fix available for this product, CODESYS GmbH strongly recommends removing all other existing non-administrator users of the operating system and preventing their re-creation in order to neutralize the security vulnerability.
CERT@VDE coordinated with CODESYS GmbH.
Luca Borzacchiello from Nozomi Networks for reporting.