VDE-2023-024 | CERT@VDE

2023-07-28 09:45 (CEST) VDE-2023-024

CODESYS: Vulnerability in CODESYS Development System and CODESYS Scripting

Share: Email | Twitter

ID

VDE-2023-024

Published

2023-07-28 09:45 (CEST)

Last update

2023-07-28 09:46 (CEST)

Vendor(s)

CODESYS GmbH

Product(s)

Article No°	Product Name	Affected Version(s)
	CODESYS Development System	3.5.9.0 < 3.5.17.0
	CODESYS Scripting	4.0.0.0 < 4.1.0.0

CVE ID

CVE-2023-3670

Last Update:

July 28, 2023, 9:44 a.m.

Severity

7.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)

Weakness

Exposure of Resource to Wrong Sphere (CWE-668)

Summary

In CODESYS Development System 3.5.9.0 to 3.5.17.0 and CODESYS Scripting 4.0.0.0 to 4.1.0.0 unsafe directory permissions would allow an attacker with local access to the workstation to place potentially harmful and disguised scripts that could be executed by legitimate users.

Details

cert.vde.com

Impact

Please consult CODESYS Security Advisory 2023-09 for more details.

Solution

Update CODESYS Development System to version 3.5.17.0 or newer.

Update CODESYS Scripting to version 4.1.0.0 or newer.

This version can be downloaded and installed directly with the CODESYS Installer. A CODESYS Development
System version of 3.5.17.0 or newer is required.

Alternatively, you can visit the CODESYS update area for more information on how to obtain the software
update.

Reported by

This vulnerability was discovered by Sina Kheirkhah (@SinSinology) of Summoning Team
(@SummoningTeam) working with Trend Micro Zero Day Initiative.
CODESYS coordinated with CERT@VDE.