Share: Email | Twitter

ID

VDE-2023-025

Published

2023-08-03 13:18 (CEST)

Last update

2023-08-03 13:19 (CEST)

Vendor(s)

CODESYS GmbH

Product(s)

Article No° Product Name Affected Version(s)
CODESYS Control for BeagleBone SL = All
CODESYS Control for emPC-A/iMX6 SL = All
CODESYS Control for IOT2000 SL = All
CODESYS Control for Linux SL = All
CODESYS Control for PFC100 SL = All
CODESYS Control for PFC200 SL = All
CODESYS Control for PLCnext SL = All
CODESYS Control for Raspberry Pi SL = All
CODESYS Control for WAGO Touch Panels 600 SL = All
CODESYS Control RTE (for Beckhoff CX) SL = All
CODESYS Control RTE (SL) = All
CODESYS Control Runtime System Toolkit = All
CODESYS Control Win (SL) = All
CODESYS HMI (SL) = All

Summary

The CODESYS Control V3 runtime system does not restrict the memory accesses of the PLC application code to the PLC application data and does not sufficiently check the integrity of the application code by default. This could be exploited by authenticated PLC programmers.

Vulnerabilities



CVE-2022-4046
8.8
Last Update
Aug. 3, 2023, 2:37 p.m.
Severity
8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Weakness
Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
Summary

In CODESYS Control in multiple versions a improper restriction of operations within the bounds of a memory buffer allow an remote attacker with user privileges to gain full access of the device.

Details
cert.vde.com 
CVE-2023-28355
7.7
Last Update
Aug. 3, 2023, 2:38 p.m.
Severity
7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N)
Weakness
Improper Validation of Integrity Check Value (CWE-354)
Summary

The PLC application code executed by the CODESYS Control Runtime contains a checksum. This enables the CODESYS development system to check at login whether its loaded project matches the PLC application code executed on the controller. This checksum is not sufficient to reliably detect PLC application code that has been modified in memory or boot application files that have been manipulated.

Details
 

Impact

The CODESYS Control runtime system enables embedded or PC-based devices to be a programmable industrial controller. Control programs (PLC application code) can access local or remote IOs, communication interfaces such as serial or sockets, or the file system.

Solution

Mitigation

To exploit these vulnerabilities, a successful login to the affected product is required. The online user management therefore protects from exploiting these security vulnerabilities.

CODESYS GmbH strongly recommends using the online user management. This not only prevents from downloading malicious code or boot application files, but also suppresses starting, stopping, debugging or other actions on a known working application that could potentially disrupt a machine or system. As of version 3.5.17.0, the online user management is enforced by default.

In addition, the CODESYS Development System and the CODESYS Control runtime system support optional signing and encryption of the application code loaded on the controller. This feature also prevents the loading and execution of untrusted or modified boot files. If the application code security policy is set to "Enforced Signing", a modified or untrusted application will be detected due to a missing signature and will not be loaded and executed.

Reported by

This issue was reported by Reid Wightman of Dragos Inc.

Coordination done by CERT@VDE.

CODESYS GmbH thanks all parties involved for their efforts.