VDE-2024-057 | CERT@VDE

2024-09-25 10:00 (CEST) VDE-2024-057

CODESYS: CODESYS web server vulnerable to DoS

Share: Email | Twitter

ID

VDE-2024-057

Published

2024-09-25 10:00 (CEST)

Last update

2024-09-25 08:39 (CEST)

Vendor(s)

CODESYS GmbH

Product(s)

Article No°	Product Name	Affected Version(s)
	CODESYS Control for BeagleBone SL	< 4.14.0.0
	CODESYS Control for emPC-A/iMX6 SL	< 4.14.0.0
	CODESYS Control for IOT2000 SL	< 4.14.0.0
	CODESYS Control for Linux ARM SL	< 4.14.0.0
	CODESYS Control for Linux SL	< 4.14.0.0
	CODESYS Control for PFC100 SL	< 4.14.0.0
	CODESYS Control for PFC200 SL	< 4.14.0.0
	CODESYS Control for PLCnext SL	< 4.14.0.0
	CODESYS Control for Raspberry Pi SL	< 4.14.0.0
	CODESYS Control for WAGO Touch Panels 600 SL	< 4.14.0.0
	CODESYS Control RTE (for Beckhoff CX) SL	< 3.5.20.30
	CODESYS Control RTE (SL)	< 3.5.20.30
	CODESYS Control Win (SL)	< 3.5.20.30
	CODESYS Embedded Target Visu Toolkit	< 3.5.20.30
	CODESYS HMI (SL)	< 3.5.20.30
	CODESYS Remote Target Visu Toolkit	< 3.5.20.30
	CODESYS Runtime Toolkit	< 3.5.20.30
	CODESYS Virtual Control SL	< 4.14.0.0

Summary

The CODESYS web server component of the CODESYS Control runtime system is used by the CODESYS WebVisu to display visualization screens in a web browser. Receiving a specifically crafted TLS packet on an HTTPS connection causes the CODESYS web server to crash because the return value of an underlying function is not checked correctly for such unusual conditions.

CVE ID

CVE-2024-8175

Last Update:

Aug. 27, 2024, 10:59 a.m.

Severity

7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Weakness

Improper Check for Unusual or Exceptional Conditions (CWE-754)

Summary

An unauthenticated remote attacker can causes the CODESYS web server to access invalid memory which results in a DoS.

Details

cert.vde.com

Impact

The CODESYS web server, implemented by the CmpWebServer component, is an optional part of the CODESYS Control runtime system. It is used by the CODESYS WebVisu to display CODESYS visualization screens in a web browser. The CODESYS web server supports both the HTTP and HTTPS protocols. Because the CODESYS web server does not correctly check the return value of an underlying function, it reacts in a wrong way to specifically crafted TLS packets that are received via an HTTPS connection. This causes the CODESYS web server to access invalid memory and the web server task to crash.

Solution

Remediation

Update the following products to version 3.5.20.30.

CODESYS Control RTE (SL)
CODESYS Control RTE (for Beckhoff CX) SL
CODESYS Control Win (SL)
CODESYS HMI (SL)
CODESYS Runtime Toolkit
CODESYS Embedded Target Visu Toolkit
CODESYS Remote Target Visu Toolkit

Update the following products to version 4.14.0.0.

CODESYS Control for BeagleBone SL
CODESYS Control for emPC-A/iMX6 SL
CODESYS Control for IOT2000 SL
CODESYS Control for Linux ARM SL
CODESYS Control for Linux SL
CODESYS Control for PFC100 SL
CODESYS Control for PFC200 SL
CODESYS Control for PLCnext SL
CODESYS Control for Raspberry Pi SL
CODESYS Control for WAGO Touch Panels 600 SL
CODESYS Virtual Control SL

The release of version 4.14.0.0 is expected for end of November 2024.

The products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS download area.

Reported by

CERT@VDE coordinated with CODESYS

This issue was reported by ABB.