Share: Email | Twitter

ID

VDE-2022-040

Published

2022-10-17 10:00 (CEST)

Last update

2023-09-22 14:39 (CEST)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
WAGO-I/O-PRO Engineering Software <= 2.3.9.68
750-331 Ethernet Controller 3rd Generation <= 01.04.16(14)
750-829 Ethernet Controller 3rd Generation <= 01.04.16(14)
750-831/xxx-xxx Ethernet Controller 3rd Generation <= 01.04.16(14)
750-852 Ethernet Controller 3rd Generation <= 01.09.25(16)
750-881 Ethernet Controller 3rd Generation <= 01.09.25(16)
750-882 Ethernet Controller 3rd Generation <= 01.08.25(16)
750-885/xxx-xxx Ethernet Controller 3rd Generation <= 01.07.25(16)
750-889 Ethernet Controller 3rd Generation <= 01.03.25(16)
750-880/xxx-xxx Ethernet Controller 3rd Generation <= 01.08.25(16)
750-823 Ethernet Controller 4th Generation <= 01.05.04(10)
750-332 Ethernet Controller 4th Generation <= 01.02.16(06)
750-832/xxx-xxx Ethernet Controller 4th Generation <= 01.02.16(06)
750-862 Ethernet Controller 4th Generation <= 01.05.04(10)
750-890/xxx-xxx Ethernet Controller 4th Generation <= 01.05.04(10)
750-891 Ethernet Controller 4th Generation <= 01.05.04(10)
750-893 Ethernet Controller 4th Generation <= 01.05.04(10)
750-8202/xxx-xxx PFC200 <= 03.10.08(22)
750-8203/xxx-xxx PFC200 <= 03.10.08(22)
750-8204/xxx-xxx PFC200 <= 03.10.08(22)
750-8206/xxx-xxx PFC200 <= 03.10.08(22)
750-8207/xxx-xxx PFC200 <= 03.10.08(22)
750-8208/xxx-xxx PFC200 <= 03.10.08(22)
750-8210/xxx-xxx PFC200 <= 03.10.08(22)
750-8211/xxx-xxx PFC200 <= 03.10.08(22)
750-8212/xxx-xxx PFC200 <= 03.10.08(22)
750-8213/xxx-xxx PFC200 <= 03.10.08(22)
750-8214/xxx-xxx PFC200 <= 03.10.08(22)
750-8216/xxx-xxx PFC200 <= 03.10.08(22)
750-8217/xxx-xxx PFC200 <= 03.10.08(22)

Summary

UPDATE A: Solution has updated release dates
UPDATE B: Solution has updated release dates

This Advisory is published with reference to:

  • CODESYS Advisory 2022-11 (Security update for CODESYS Control V2)
  • CODESYS Advisory 2022-12 (Security update for CODESYS V2 password transport)
  • CODESYS Advisory 2022-13 (Security update for CODESYS Gateway V2)

Vulnerabilities



Last Update
Sept. 14, 2022, 4:48 p.m.
Weakness
Insecure Default Initialization of Resource (CWE-1188)
Summary

In CODESYS V2 PLCWinNT and Runtime Toolkit 32 in versions prior to V2.4.7.57 password protection is not enabled by default and there is no information or prompt to enable password protection at login in case no password is set at the controller.

Last Update
Sept. 14, 2022, 4:50 p.m.
Weakness
Partial String Comparison (CWE-187)
Summary

In CODESYS Gateway Server V2 for versions prior to V2.3.9.38 only a part of the the specified password is been compared to the real CODESYS Gateway password. An attacker may perform authentication by specifying a small password that matches the corresponding part of the longer real CODESYS Gateway password.

Last Update
Sept. 14, 2022, 4:42 p.m.
Weakness
Heap-based Buffer Overflow (CWE-122)
Summary

In multiple CODESYS products, a low privileged remote attacker may craft a request, which may cause a heap-based buffer overflow, resulting in a denial-of-service condition or memory overwrite. User interaction is not required.

Last Update
Sept. 14, 2022, 4:45 p.m.
Weakness
Files or Directories Accessible to External Parties (CWE-552)
Summary

In multiple CODESYS products, file download and upload function allows access to internal files in the working directory e.g. firmware files of the PLC. All requests are processed on the controller only if no level 1 password is configured on the controller or if remote attacker has previously successfully authenticated himself to the controller. A successful Attack may lead to a denial of service, change of local files, or drain of confidential Information. User interaction is not required

Last Update
Sept. 14, 2022, 4:40 p.m.
Weakness
Unexpected Sign Extension (CWE-194)
Summary

In multiple CODESYS products, a remote attacker may craft a request which may cause an unexpected sign extension, resulting in a denial-of-service condition or memory overwrite.

Last Update
Sept. 14, 2022, 4:45 p.m.
Weakness
Use of Out-of-range Pointer Offset (CWE-823)
Summary

Multiple CODESYS Products are prone to a out-of bounds read or write access. A low privileged remote attacker may craft a request with invalid offset, which can cause an out-of-bounds read or write access, resulting in denial-of-service condition or local memory overwrite, which can lead to a change of local files. User interaction is not required.

Last Update
Sept. 14, 2022, 4:41 p.m.
Weakness
Improper Handling of Exceptional Conditions (CWE-755)
Summary

Multiple products of CODESYS implement a improper error handling. A low privilege remote attacker may craft a request, which is not properly processed by the error handling. In consequence, the file referenced by the request could be deleted. User interaction is not required.

Last Update
Sept. 14, 2022, 4:51 p.m.
Weakness
Memory Allocation with Excessive Size Value (CWE-789)
Summary

The CODESYS Gateway Server V2 does not verifiy that the size of a request is within expected limits. An unauthenticated attacker may allocate an arbitrary amount of memory, which may lead to a crash of the Gateway due to an out-of-memory condition.

Last Update
Sept. 14, 2022, 4:48 p.m.
Weakness
Unprotected Transport of Credentials (CWE-523)
Summary

In the CODESYS Development System multiple components in multiple versions transmit the passwords for the communication between clients and servers unprotected.

Last Update
Sept. 14, 2022, 4:40 p.m.
Weakness
Out-of-bounds Read (CWE-125)
Summary

In multiple CODESYS products, a low privileged remote attacker may craft a request, which cause an out-of-bounds read, resulting in a denial-of-service condition. User Interaction is not required.

Last Update
Sept. 14, 2022, 4:40 p.m.
Weakness
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)
Summary

Multiple CODESYS products are affected to a buffer overflow.A low privileged remote attacker may craft a request, which can cause a buffer copy without checking the size of the service, resulting in a denial-of-service condition. User Interaction is not required.

Last Update
Sept. 14, 2022, 4:44 p.m.
Weakness
Buffer Over-read (CWE-126)
Summary

Multiple CODESYS Products are prone to a buffer over read. A low privileged remote attacker may craft a request with an invalid offset, which can cause an internal buffer over-read, resulting in a denial-of-service condition. User interaction is not required.

Last Update
Sept. 14, 2022, 4:42 p.m.
Weakness
Access of Uninitialized Pointer (CWE-824)
Summary

In multiple CODESYS products, a low privileged remote attacker may craft a request that cause a read access to an uninitialized pointer, resulting in a denial-of-service. User interaction is not required.

Last Update
Sept. 14, 2022, 4:51 p.m.
Weakness
Uncontrolled Resource Consumption (CWE-400)
Summary

In CODESYS Gateway Server V2 an insufficient check for the activity of TCP client connections allows an unauthenticated attacker to consume all available TCP connections and prevent legitimate users or clients from establishing a new connection to the CODESYS Gateway Server V2. Existing connections are not affected and therefore remain intact.

Impact

From vulnerabilities CVE-2022-1965, CVE-2022-32136, CVE-2022-32137, CVE-2022-32138, CVE-2022-32139, CVE-2022-32140, CVE-2022-32141, CVE-2022-32142, CVE-2022-32143 (CODESYS Advisory 2022-11):
By crafting special packets / requests a low skilled attacker can exploit the vulnerabilities. This can lead to denial-of-service conditions or deleting files.

From vulnerabilities CVE-2022-31805, CVE-2022-31806 (CODESYS Advisory 2022-12):
A low skilled attacker is able to gather insufficiently protected credentials having access to the communication between client and server.

From vulnerabilities CVE-2022-31802, CVE-2022-31803, CVE-2022-31804 (CODESYS Advisory 2022-13):
An attacker with low skills is able to gather insufficiently protected credentials having local access or access to the online communication traffic

Solution

Mitigation

For vulnerabilities CVE-2022-1965, CVE-2022-32136, CVE-2022-32137, CVE-2022-32138, CVE-2022-32139, CVE-2022-32140, CVE-2022-32141, CVE-2022-32142, CVE-2022-32143 (CODESYS Advisory 2022-11):
• Activation of online user management, to prevent unallowed actions from unauthorized attackers
• Setting strong passwords
• Use e!Runtime or CODESYS V3

For vulnerabilities CVE-2022-31805, CVE-2022-31806 (CODESYS Advisory 2022-12):

  • Activation of online user management, to prevent unallowed actions from unauthorized attackers

  • Use encryption of online communication whenever possible, this protects password transmission.

General mitigation recommendations by CODESYS GmbH to reduce the risk of exploits:

  • Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside

  • Use firewalls to protect and separate the control system network from other networks

  • Use VPN (Virtual Private Networks) tunnels if remote access is required

  • Activate and apply user management and password features

  • Use encrypted communication links

  • Limit the access to both development and control system by physical means, operating system features, etc.

  • Protect both development and control system by using up to date virus detecting solutions

For further impact information and risk mitigation, please refer to the official CODESYS Advisory Website at
www.codesys.com/security/security-reports.html

Solution

WAGO recommends that all affected users with WAGO I/O-PRO/CODESYS 2.3 PLCs update to the firmware and use the latest version of WAGO I/O-Pro as soon as it is available.
Until the updates are available, we recommend switching off the CODESYS IP port 2455 after commissioning or, if this not possible, use a strong admin password.

Ord. No. Firmware
PFC200 Family
750-8202/xxx-xxx UPDATE B: Available
in Q1 2024
750-8203/xxx-xxx
750-8204/xxx-xxx
750-8206/xxx-xxx
750-8207/xxx-xxx
750-8208/xxx-xxx
750-8210/xxx-xxx
750-8211/xxx-xxx
750-8212/xxx-xxx
750-8213/xxx-xxx
750-8214/xxx-xxx
750-8216/xxx-xxx
750-8217/xxx-xxx
Ethernet Controller 4th Generation Family UPDATE B
750-823 FW11
750-332 FW11 after BACnet Certification
750-832/xxx-xxx FW11 after BACnet Certification
750-862 FW11
750-890/xxx-xxx FW11
750-891 FW11
750-893 FW11
Ethernet Controller 3rd Generation Family UPDATE B
750-331 Available in Q3 2023
750-829 FW17
750-831/xxx-xxx Discontinued no fix
750-852 FW17
750-880/xxx-xxx FW17
750-881 FW17
750-882 FW17
750-885/xxx-xxx FW17
750-889 FW17
Engineering Software
WAGO-I/O-PRO 32 UPDATE B: 2.3.9.70

Reported by

CERT@VDE coordinated with WAGO