Article No° | Product Name | Affected Version(s) |
---|---|---|
CODESYS Control Win (SL) | < 3.5.20.10 | |
CODESYS Development System V3 | < 3.5.20.10 | |
CODESYS Edge Gateway for Windows | < 3.5.20.10 | |
CODESYS Gateway for Windows | < 3.5.20.10 | |
CODESYS HMI (SL) | < 3.5.20.10 |
All legitimate local Microsoft Windows users can read or modify files that are located in the working directory of the affected CODESYS products, even if they are executed under a different user or in the system context.
A local attacker with low privileges can read and modify any users files and cause a DoS in the working directory of the affected products due to exposure of resource to wrong sphere.
The CODESYS Development System is an IEC 61131-3 programming tool for the industrial controller and automation technology sector. The integrated runtime for simulating CODESYS projects as well as CODESYS Control Win V3, CODESYS HMI and the CODESYS (Edge) Gateway running under the Microsoft Windows operating system have their working directory under %ProgramData%\CODESYS\ by default. All legitimate local Microsoft Windows users can read or modify files in this working directory, even if the affected products are running under a different user or in the system context.
Mitigation
Only create required user accounts on the Microsoft Windows systems on which the affected software is installed. Users who do not need to use the affected software should not have access to these systems.
Remediation
Update the following products to version 3.5.20.10.
The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS download area.
The working directories of the affected products are moved to "%APPDATA%\CODESYS\", which is usually located in C:\Users\<user>\AppData\CODESYS\ and can only be accessed by the respective user.
If the PLC is started with the "CODESYS Control Win SysTray PLC Control", it runs in the Windows user account "LocalSystem" and therefore the effective working directory is "C:\Windows\system32\config\systemprofile\AppData\Roaming\CODESYS\" or C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\CODESYS\. An administrator account is required to access these folders.
CERT@VDE coordinated with CODESYS
This issue was reported by joker63.