VDE-2023-023 | CERT@VDE

2023-08-03 13:08 (CEST) VDE-2023-023

CODESYS: Missing Brute-Force protection in CODESYS Development System

Share: Email | Twitter

ID

VDE-2023-023

Published

2023-08-03 13:08 (CEST)

Last update

2023-08-03 13:08 (CEST)

Vendor(s)

CODESYS GmbH

Product(s)

Article No°	Product Name	Affected Version(s)
	CODESYS Development System	< 3.5.19.20

Summary

The CODESYS Development System does not limit the number of attempts to guess the password within an import dialog.

CVE ID

CVE-2023-3669

Last Update:

Aug. 3, 2023, 1:08 p.m.

Severity

3.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Weakness

Improper Restriction of Excessive Authentication Attempts (CWE-307)

Summary

A missing Brute-Force protection in CODESYS Development System prior to 3.5.19.20 allows a local attacker to have unlimited attempts of guessing the password within an import dialog.

Details

cert.vde.com

Impact

A limited amount of information can be obtained by a local attacker if the brute-force attack was successful.

Solution

Update the CODESYS Development System to version 3.5.19.20.

The CODESYS Development System can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store.

Alternatively, you will find further information on obtaining the software update in the CODESYS Update area

Reported by

This vulnerability was reported by an OEM customer.

Coordination done by CERT@VDE.