Share: Email | Twitter

ID

VDE-2023-068

Published

2024-05-21 08:00 (CEST)

Last update

2024-05-21 07:58 (CEST)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
750-8000 Basic Controller 100 <= FW2
750-8001 Basic Controller 100 <= FW2
751-9301/xxx-xxx Compact Controller 100 <= FW25
751-9401/xxx-xxx Compact Controller 100 <= FW25
752-8303/8000-0002 EC 300 <= FW25
e!COCKPIT <= 1.11.2.0
750-8100/xxx-xxx PFC 100 <= FW22 Patch 1
750-8101/xxx-xxx PFC 100 <= FW22 Patch 1
750-8102/xxx-xxx PFC 100 <= FW22 Patch 1
750-8202/xxx-xxx PFC 200 G1 <= FW22 Patch 1
750-8203/xxx-xxx PFC 200 G1 <= FW22 Patch 1
750-8204/xxx-xxx PFC 200 G1 <= FW22 Patch 1
750-8206/xxx-xxx PFC 200 G1 <= FW22 Patch 1
750-8207/xxx-xxx PFC 200 G1 <= FW22 Patch 1
750-8210/xxx-xxx PFC 200 G2 <= FW25
750-8211/xxx-xxx PFC 200 G2 <= FW25
750-8212/xxx-xxx PFC 200 G2 <= FW25
750-8213/xxx-xxx PFC 200 G2 <= FW25
750-8214/xxx-xxx PFC 200 G2 <= FW25
750-8215/xxx-xxx PFC 200 G2 <= FW25
750-8216/xxx-xxx PFC 200 G2 <= FW25
750-8217/xxx-xxx PFC 200 G2 <= FW25
762-4x0x/8000-000x TP 600 <= FW25
762-5x0x/8000-000x TP 600 <= FW25
762-6x0x/8000-000x TP 600 <= FW25

Summary

The following vulnerabilities are published with reference to CODESYS Advisory 2023-05, CODESYS Advisory 2023-06 and CODESYS Advisory 2023-09

Vulnerabilities



CVE-2023-3662
7.3
Last Update
Aug. 3, 2023, 12:48 p.m.
Severity
7.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
Weakness
Uncontrolled Search Path Element (CWE-427)
Summary

In CODESYS Development System versions from 3.5.17.0 and prior to 3.5.19.20 a vulnerability allows for execution of binaries from the current working directory in the users context .

Details
cert.vde.com 
CVE-2023-3670
7.3
Last Update
July 28, 2023, 9:44 a.m.
Severity
7.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
Weakness
Exposure of Resource to Wrong Sphere (CWE-668)
Summary

In CODESYS Development System 3.5.9.0 to 3.5.17.0 and CODESYS Scripting 4.0.0.0 to 4.1.0.0 unsafe directory permissions would allow an attacker with local access to the workstation to place potentially harmful and disguised scripts that could be executed by legitimate users.

Details
cert.vde.com 
CVE-2023-37559
6.5
Last Update
Aug. 3, 2023, 12:42 p.m.
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Weakness
Improper Input Validation (CWE-20)
Summary

After successful authentication as a user in multiple Codesys products in multiple versions, specific crafted network communication requests with inconsistent content can cause the CmpAppForce component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37558

Details
cert.vde.com 
CVE-2023-37558
6.5
Last Update
Aug. 3, 2023, 12:42 p.m.
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Weakness
Improper Input Validation (CWE-20)
Summary

After successful authentication as a user in multiple Codesys products in multiple versions, specific crafted network communication requests with inconsistent content can cause the CmpAppForce component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37559

Details
cert.vde.com 
CVE-2023-37557
6.5
Last Update
Aug. 3, 2023, 12:42 p.m.
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Weakness
Out-of-bounds Write (CWE-787)
Summary

After successful authentication as a user in multiple Codesys products in multiple versions, specific crafted remote communication requests can cause the CmpAppBP component to overwrite a heap-based buffer, which can lead to a denial-of-service condition.

Details
cert.vde.com 
CVE-2023-37556
6.5
Last Update
Aug. 3, 2023, 12:42 p.m.
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple versions of multiple Codesys products, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpAppBP component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37552, CVE-2023-37553, CVE-2023-37554 and CVE-2023-37555.

Details
cert.vde.com 
CVE-2023-37555
6.5
Last Update
Aug. 3, 2023, 12:42 p.m.
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple versions of multiple Codesys products, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpAppBP component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37552, CVE-2023-37553, CVE-2023-37554 and CVE-2023-37556.

Details
cert.vde.com 
CVE-2023-37554
6.5
Last Update
Aug. 3, 2023, 12:42 p.m.
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple versions of multiple Codesys products, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpAppBP component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37552, CVE-2023-37553, CVE-2023-37555 and CVE-2023-37556.

Details
cert.vde.com 
CVE-2023-37553
6.5
Last Update
Aug. 3, 2023, 12:42 p.m.
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple versions of multiple Codesys products, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpAppBP component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37552, CVE-2023-37554, CVE-2023-37555 and CVE-2023-37556.

Details
cert.vde.com 
CVE-2023-37552
6.5
Last Update
Aug. 3, 2023, 12:42 p.m.
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple versions of multiple Codesys products, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpAppBP component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37553, CVE-2023-37554, CVE-2023-37555 and CVE-2023-37556.

Details
cert.vde.com 
CVE-2023-37551
6.5
Last Update
Aug. 3, 2023, 12:42 p.m.
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Weakness
Files or Directories Accessible to External Parties (CWE-552)
Summary

In multiple Codesys products in multiple versions, after successful authentication as a user, specially crafted network communication requests can utilize the CmpApp component to download files with any file extensions to the controller. In contrast to the regular file download via CmpFileTransfer, no filtering of certain file types is performed here. As a result, the integrity of the CODESYS control runtime system may be compromised by the files loaded onto the controller.

Details
cert.vde.com 
CVE-2023-37550
6.5
Last Update
Aug. 3, 2023, 12:42 p.m.
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37548 and CVE-2023-37549.

Details
cert.vde.com 
CVE-2023-37549
6.5
Last Update
Aug. 3, 2023, 12:42 p.m.
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37548 and CVE-2023-37550

Details
cert.vde.com 
CVE-2023-37548
6.5
Last Update
Aug. 3, 2023, 12:42 p.m.
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37549 and CVE-2023-37550

Details
cert.vde.com 
CVE-2023-37547
6.5
Last Update
Aug. 3, 2023, 12:42 p.m.
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Weakness
Improper Input Validation (CWE-20)
Summary
In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37548, CVE-2023-37549 and CVE-2023-37550
Details
cert.vde.com 
CVE-2023-37546
6.5
Last Update
Aug. 3, 2023, 12:42 p.m.
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37547, CVE-2023-37548, CVE-2023-37549 and CVE-2023-37550

Details
cert.vde.com 
CVE-2023-37545
6.5
Last Update
Aug. 3, 2023, 12:42 p.m.
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37546, CVE-2023-37547, CVE-2023-37548, CVE-2023-37549, CVE-2023-37550

Details
cert.vde.com 

Impact

Please refer to the official CODESYS Advisories:

  • Advisory2023-05_CDS-85189
  • Advisory2023-06_CDS-85457
  • Advisory2023-09_SCRIPT-44

Website at https://www.codesys.com/security/security-reports.html

Solution

Fixed Firmware 3 

Product  Status
750-8000
 available 

750-8001

 available

Fixed Firmware 26

Product Status
Compact Controller 100 family
751-9301/xxx-xxx available

751-9401/xxx-xxx
PFC 100 family

750-8100/xxx-xxx

 available

750-8101/xxx-xxx

750-8102/xxx-xxx
PFC 200 family

750-8202/xxx-xxx

 available

750-8203/xxx-xxx

750-8204/xxx-xxx

750-8206/xxx-xxx

750-8207/xxx-xxx

750-8210/xxx-xxx

750-8211/xxx-xxx

750-8212/xxx-xxx

750-8213/xxx-xxx

750-8214/xxx-xxx

750-8215/xxx-xxx

750-8216/xxx-xxx

750-8217/xxx-xxx
TP 600 family

762-4x0x/8000-000x

 available

762-5x0x/8000-000x

762-6x0x/8000-000x

EC 300 family

752-8303/8000-0002

 available

Fixed Firmware 22 Patch 2

Product Status
Compact Controller 100 family
751-9301/xxx-xxx planned

751-9401/xxx-xxx
PFC 100 family

750-8100/xxx-xxx

 planned

750-8101/xxx-xxx

750-8102/xxx-xxx
PFC 200 family

750-8202/xxx-xxx

 planned

750-8203/xxx-xxx

750-8204/xxx-xxx

750-8206/xxx-xxx

750-8207/xxx-xxx

750-8210/xxx-xxx

750-8211/xxx-xxx

750-8212/xxx-xxx

750-8213/xxx-xxx

750-8214/xxx-xxx

750-8215/xxx-xxx

750-8216/xxx-xxx

750-8217/xxx-xxx
TP 600 family

762-4x0x/8000-000x

 planned

762-5x0x/8000-000x

762-6x0x/8000-000x

EC 300 family

752-8303/8000-0002

 planned

A fixed Version of e!COCKPIT is planned.

Mitigation

Depending on the vulnerability there are possible mitigations:

Vulnerability of CODESYS Advisory 2023-05:

  • This vulnerability exists in the CODESYS programming service which is needed for commission only. Deactivate the CODESYS programming port in the web-based management if you do not need the service.

In addition to the mitigation hints CODESYS GmbH recommends the following general defense measures to reduce the risk of exploits:

  • Use controllers and devices only in a protected environment to minimize network exposure and ensure they are not accessible from outside.
  • Use firewalls to protect and separate the control system network from other networks.
  • Use VPN (Virtual Private Networks) tunnels if remote access is required.
  • Activate and apply user management and password features.
  • Use encrypted communication links.
  • Limit the access to both development and control system by physical means, operating system features, etc.
  • Protect both development and control system by using up to date virus detection solutions.

For further impact information and risk mitigation, please refer to the official CODESYS Advisory Website at https://www.codesys.com/security/security-reports.html

Reported by

Coordination done by CERT@VDE.