Summary
Several high severity vulnerabilities in CODESYS V3 affecting Festo products could lead to Remote Code Execution or Denial of Service.
Impact
Please check the references in the CVEs.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 3473128 | Control block CPX-CEC-C1-V3 <=8 | Firmware <=4.0.4 |
| 3472765 | Control block CPX-CEC-M1-V3 <=8 | Firmware <=4.0.4 |
| 3472425 | Control block CPX-CEC-S1-V3 <=8 | Firmware <=4.0.4 |
| 5226780 | Control block CPX-E-CEC-C1 <=5 | Firmware <=10.1.4 |
| 4252742 | Control block CPX-E-CEC-C1-EP <8 | Firmware 2.2.14 |
| 4252741 | Control block CPX-E-CEC-C1-PN <8 | Firmware 2.2.14 |
| 5266781 | Control block CPX-E-CEC-M1 <=5 | Firmware <=10.1.4 |
| 4252744 | Control block CPX-E-CEC-M1-EP vers:all/* | Firmware 2.2.14 |
| 4252743 | Control block CPX-E-CEC-M1-PN vers:all/* | Firmware 2.2.14 |
| 574415 | Controller CECC-D <=7 | Firmware <=2.4.2 |
| 8072995 | Controller CECC-D-BA <=7 | Firmware <=2.4.2 |
| 2463301 | Controller CECC-D-CS <=7 | Firmware <=2.4.2 |
| 574418 | Controller CECC-LK <=7 | Firmware <=2.4.2 |
| 574416 | Controller CECC-S <=7 | Firmware <=2.4.2 |
| 4407603 | Controller CECC-X-M1 (Gen3) | Firmware <=3.8.18 |
| 8124922 | Controller CECC-X-M1 (Gen4) | Firmware <=4.0.18 |
| 4407605 | Controller CECC-X-M1-MV (Gen3) | Firmware <=3.8.18 |
| 8124923 | Controller CECC-X-M1-MV (Gen4) | Firmware <=4.0.18 |
| 4407606 | Controller CECC-X-M1-MV-S1 (Gen3) | Firmware <=3.8.18 |
| 8124924 | Controller CECC-X-M1-MV-S1 (Gen4) | Firmware <=4.0.18 |
| 574412 | Operator unit CDPX-X-A-S-10 | Firmware <=3.5.7.159 |
| 574413 | Operator unit CDPX-X-A-W-13 | Firmware <=3.5.7.159 |
| 574410 | Operator unit CDPX-X-A-W-4 | Firmware <=3.5.7.159 |
| 574411 | Operator unit CDPX-X-A-W-7 | Firmware <=3.5.7.159 |
| 8155217 | Operator unit CDPX-X-E1-W-10 | Firmware <=3.5.7.159 |
| 8155218 | Operator unit CDPX-X-E1-W-15 | Firmware <=3.5.7.159 |
| 8155216 | Operator unit CDPX-X-E1-W-7 | Firmware <=3.5.7.159 |
Vulnerabilities
Expand / Collapse allAn authenticated, remote attacker may use a out-of-bounds write vulnerability in multiple CODESYS products in multiple versions to write data into memory which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpAppForce Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
In multiple CODESYS products in multiple versions an unauthorized, remote attacker may use a improper input validation vulnerability to read from invalid addresses leading to a denial of service.
Multiple CODESYS products in multiple versions are prone to a improper input validation vulnerability. An authenticated remote attacker may craft specific requests that use the vulnerability leading to a denial-of-service condition.
An authenticated, remote attacker may use a improper input validation vulnerability in the CmpApp/CmpAppBP/CmpAppForce Components of multiple CODESYS products in multiple versions to read from an invalid address which can lead to a denial-of-service condition.
An authenticated, remote attacker may use a Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple versions of multiple CODESYS products to force a denial-of-service situation.
Mitigation
As part of a security strategy, Festo recommends the following general defense measures to reduce the risk of exploits:
- Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
- Use firewalls to protect and separate the control system network from other networks
- Use VPN (Virtual Private Networks) tunnels if remote access is required
Activate and apply user management and password features - Use encrypted communication links
- Limit the access to both development and control system by physical means, operating system features, etc.
- Protect both development and control system by using up to date virus detecting solutions
Festo strongly recommends to minimize and protect network access to connected devices with state of the art techniques and processes.
For a secure operation follow the recommendations in the product manuals.
Remediation
For all vulnerability identifiers except CECC-D, CECC-D-CS, CECC-D-BA, CECC-S, CECC-X Gen3 and CECC-LK: Update planned end of Q3 2024.
Acknowledgments
Festo SE & Co. KG thanks the following parties for their efforts:
- CERT@VDE for coordination and support with this publication (see https://certvde.com )
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 01/30/2024 08:00 | Initial revision. |
| 1.0.1 | 11/04/2025 12:00 | Adjusted to VDE template. Changed title from "Several Codesys Vulnerabilities in Festo Products" to "Festo: Multiple products contain CoDe16 vulnerability". Updated legal disclaimer to add references to special provisions. |