Article No° | Product Name | Affected Version(s) |
---|---|---|
Compact Vision System SBO*-Q-* | = All Versions | |
Control block CPX-CEC-C1 Codesys V2 | = All Versions | |
Control block CPX-CEC-C1-V3 Codesys V3 | = All Versions | |
Control block CPX-CEC Codesys V2 | = All Versions | |
Control block CPX-CEC-M1 Codesys V2 | = All Versions | |
Control block CPX-CEC-M1-V3 Codesys V3 | = All Versions | |
Control block CPX-CEC-S1-V3 Codesys V3 | = All Versions | |
555668 | Control block CPX-CMXX | = All Versions |
555667 | Control block CPX-CMXX | = All Versions |
Controller CECC-D | = All Versions | |
Controller CECC-D-BA | = All Versions | |
Controller CECC-D-CS | = All Versions | |
Controller CECC-LK | = All Versions | |
Controller CECC-S | = All Versions | |
Controller CECC-X-M1 | = All Versions | |
Controller CECC-X-M1-MV | = All Versions | |
Controller CECC-X-M1-S1 | = All Versions | |
553852 | Controller CECX-X-C1 | = All Versions |
553853 | Controller CECX-X-M1 | = All Versions |
Controller CPX-E-CEC-C1 | = All Versions | |
Controller CPX-E-CEC-C1-EP | = All Versions | |
Controller CPX-E-CEC-C1-PN | = All Versions | |
Controller CPX-E-CEC-M1 | = All Versions | |
Controller CPX-E-CEC-M1-EP | = All Versions | |
Controller CPX-E-CEC-M1-PN | = All Versions | |
559869 | Controller FED-CEC | = All Versions |
Operator unit CDPX-X-A-S-10 | = All Versions | |
Operator unit CDPX-X-A-W-13 | = All Versions | |
Operator unit CDPX-X-A-W-4 | = All Versions | |
Operator unit CDPX-X-A-W-7 | = All Versions | |
Operator unit CDPX-X-E1-W-10 | = All Versions | |
Operator unit CDPX-X-E1-W-15 | = All Versions | |
Operator unit CDPX-X-E1-W-7 | = All Versions |
The products are shipped with an unsafe configuration of the integrated CODESYS Runtime
environment. In this case no default password is set to the CODESYS PLC and therefore access
without authentication is possible.
With a successful established connection to the CODESYS Runtime the PLC-Browser commands are
available. Thus granting the possibilities to e.g. read and modify the configuration file(s), start/stop
the application and reboot the device.
In CODESYS V2 PLCWinNT and Runtime Toolkit 32 in versions prior to V2.4.7.57 password protection is not enabled by default and there is no information or prompt to enable password protection at login in case no password is set at the controller.
A remote, authenticated attacker could utilize the control program of the CODESYS Control runtime system to use the vulnerability in order to read and modify the configuration file(s) of the affected products.
Mitigation
Festo has identified the following compensatory measures to reduce the risk:
General recommendations
As part of a security strategy, Festo recommends the following general defense measures to reduce
the risk of exploits:
- Use controllers and devices only in a protected environment to minimize network exposure and
ensure that they are not accessible from outside
- Use firewalls to protect and separate the control system network from other networks
- Use VPN (Virtual Private Networks) tunnels if remote access is required
- Activate and apply user management and password features
- Use encrypted communication links
- Limit the access to both development and control system by physical means, operating system
features, etc.
- Protect both development and control system by using up to date virus detecting solutions
Festo strongly recommends to minimize and protect network access to connected devices with state
of the art techniques and processes.
For a secure operation follow the recommendations in the product manuals.
Daniel dos Santos, Rob Hulsebos from Forescout for reporting to Festo.
CERT@VDE for coordination and support with this publication.