Share: Email | Twitter

ID

VDE-2024-046

Published

2024-09-10 14:00 (CEST)

Last update

2024-09-12 07:52 (CEST)

Vendor(s)

CODESYS GmbH

Product(s)

Article No° Product Name Affected Version(s)
CODESYS OSCAT Basic Library < 3.3.5.0
oscat.de OSCAT Basic Library < 3.3.5
oscat.de OSCAT Basic Library < 335

Summary

The OSCAT Basic library is one of several libraries developed and provided by OSCAT. OSCAT (oscat.de) stands for "Open Source Community for Automation Technology".

The OSCAT Basic library offers function blocks for various tasks, e.g. for buffer management, list processing, control technology, mathematics, string processing, time and date conversion. By adding the OSCAT Basic library into IEC 61131-3-compliant programming tools, PLC programmers can use all the functions provided by the library in their control programs.

Within the library, the MONTH_TO_STRING function is affected by an out-of-bounds read vulnerability. Exploitation of the vulnerability may lead to limited access to internal data or possibly to a crash of the PLC.


Last Update:

Sept. 10, 2024, 5:07 p.m.

Weakness

Out-of-bounds Read  (CWE-125) 

Summary

Out-of-Bounds read vulnerability in OSCAT Basic Library allows an local, unprivileged attacker to access limited internal data of the PLC which may lead to a crash of the affected service.


Impact

The OSCAT Basic library, which is developed and provided by OSCAT, the "Open Source Community for Automation Technology", as an extension to the IEC 61131-3-based programming tools, offers functions for a wide range of programming tasks. As part of the date and time processing functions, the library offers a function called MONTH_TO_STRING for converting months into various selectable string representations.

The MONTH_TO_STRING function of the OSCAT Basic library does not completely check the valid ranges of the passed values. This poses a vulnerability for the programmed PLC if values are passed to the MONTH_TO_STRING function that are fed into the PLC program from outside. An example could be a visualization in which integer values can be entered, which are then passed directly from the PLC program without further range checking as parameters to the MONTH_TO_STRING function. By entering values outside the valid range, an attacker can perform out-of-bounds read accesses to read limited internal data from the PLC or possibly cause it to crash.

Solution

Mitigation

CODESYS GmbH recommends an update of the OSCAT Basic library to address the security vulnerability. Without an update, the vulnerability can be prevented by validating all values in the PLC program before they are passed to the affected function. In particular, negative values must be blocked as function parameters of MONTH_TO_STRING.

Regardless of whether the OSCAT Basic library in the programming system was updated or the security vulnerability in the PLC program was mitigated, a download or online change must be performed to update the application on the PLC. And don't forget to rebuild/download the boot project.

Remediation

Update the OSCAT Basic library to version 3.3.5.

The OSCAT Basic library version 3.3.5 is expected to be released in September 2024.

To make the fix effective for existing CODESYS projects, you also must adjust the version of the OSCAT Basic library to be used in the Library Manager of the CODESYS project to version 3.3.5.0. Then you must update the CODESYS application on the PLC by download or online change and rebuild/download the boot application.

General Security Recommendations

As part of a security strategy, CODESYS GmbH strongly recommends at least the following best-practice defense measures:

  • Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
  • Use firewalls to protect and separate the control system network from other networks
  • Activate and apply user management and password features
  • Limit the access to both development and control system by physical means, operating system features, etc.
  • Use encrypted communication links
  • Use VPN (Virtual Private Networks) tunnels if remote access is required
  • Protect both development and control system by using up to date virus detecting solutions

For more information and general recommendations for protecting machines and plants, see also the CODESYS Security Whitepaper.

Reported by

This issue was reported by Corban Villa, Hithem Lamri, Constantine Doumanidis, Michail Maniatakos of Modern Microprocessors Architecture (MoMA) Lab at NYU Abu Dhabi.

Coordination done by CERT@VDE and CODESYS.

CODESYS GmbH thanks all parties involved for their efforts.