Summary
Multiple WAGO product families are prone to multiple vulnerabilities affecting CODESYS control runtime system.
Impact
Please consult the CVE entries for further information.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 752-8303/8000-0002 | EC300 | Firmware <=03.06.19(18) |
| 750-8101/xxx-xxx, 750-8102/xxx-xxx, 750-8100/xxx-xxx | PFC 100 | Firmware <=03.06.19(18) |
| 750-8202/xxx-xxx, 750-8204/xxx-xxx, 750-8206/xxx-xxx, 750-8207/xxx-xxx, 750-8210/xxx-xxx, 750-8211/xxx-xxx, 750-8212/xxx-xxx, 750-8213/xxx-xxx, 750-8214/xxx-xxx, 750-8215/xxx-xxx, 750-8216/xxx-xxx, 750-8217/xxx-xxx, 750-8203/xxx-xxx | PFC 200 | Firmware <=03.06.19(18) |
| 762-5x0x/8000-000x, 762-6x0x/8000-000x, 762-4x0x/8000-000x | TP600 | Firmware <=03.06.19(18) |
Vulnerabilities
Expand / Collapse allAn issue was discovered in 3S-Smart CODESYS V3 products. The application may utilize non-TLS based encryption, which results in user credentials being insufficiently protected during transport. All variants of the following CODESYS V3 products in all versions containing the CmpUserMgr component are affected regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (also part of the CODESYS Development System setup), CODESYS V3 Simulation Runtime (part of the CODESYS Development System), CODESYS Control V3 Runtime System Toolkit, CODESYS HMI V3.
In CODESYS V3 products in all versions prior V3.5.16.0 containing the CmpUserMgr, the CODESYS Control runtime system stores the online communication passwords using a weak hashing algorithm. This can be used by a local attacker with low privileges to gain full control of the device.
In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), a user's password may be changed by an attacker without knowledge of the current password.
In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), an attacker can identify valid usernames.
Mitigation
CODESYS GmbH recommends the following general defense measures to reduce the risk of exploits:
- Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
- Use firewalls to protect and separate the control system network from other networks
- Use VPN (Virtual Private Networks) tunnels if remote access is required
- Activate and apply user management and password features
- Use encrypted communication links
- Limit the access to both development and control system by physical means, operating system features, etc.
- Protect both development and control system by using up to date virus detecting solutions
For further impact information and risk mitigation, please refer to the official CODESYS Advisory Website at www.codesys.com/security/security-rep...
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 17.08.2022 10:00 | Initial revision. |