| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| CODESYS Control for BeagleBone SL | < 4.16.0.0 | |
| CODESYS Control for emPC-A/iMX6 SL | < 4.16.0.0 | |
| CODESYS Control for IOT2000 SL | < 4.16.0.0 | |
| CODESYS Control for Linux ARM SL | < 4.16.0.0 | |
| CODESYS Control for Linux SL | < 4.16.0.0 | |
| CODESYS Control for PFC100 SL | < 4.16.0.0 | |
| CODESYS Control for PFC200 SL | < 4.16.0.0 | |
| CODESYS Control for PLCnext SL | < 4.16.0.0 | |
| CODESYS Control for Raspberry Pi SL | < 4.16.0.0 | |
| CODESYS Control for WAGO Touch Panels 600 SL | < 4.16.0.0 | |
| CODESYS Control RTE (for Beckhoff CX) SL | < 3.5.21.0 | |
| CODESYS Control RTE (SL) | < 3.5.21.0 | |
| CODESYS Control Win (SL) | < 3.5.21.0 | |
| CODESYS Runtime Toolkit | < 3.5.21.0 | |
| CODESYS Virtual Control SL | < 4.16.0.0 |
A low privileged attacker with physical access to a controller, that supports removable media and is running a CODESYS Control runtime system, can exploit the insufficient path validation by connecting removable media with a file system supporting symbolic links. This could allow the attacker to bypass SysFile restrictions and gain unauthorized access to the entire file system.
Insufficient path validation in CODESYS Control allows low privileged attackers with physical access to gain full filesystem access.
The CODESYS Control runtime system enables embedded or PC-based devices to be a programmable industrial controller. Runtimes that include the SysFile component can access the local file system using either the corresponding API or the file browser in the CODESYS Development System. By default, this access is restricted to the software's own dedicated working directory. Additionally, with User Management enabled by default, user authentication is required to access the file via the file browser or to download a PLC program. By using placeholders, that act like an environment variable to easily access configured paths, a whitelist inside and outside this own working directory can be configured. In certain configurations, a visible PlaceholderFilePath can be used to automatically enable access to removable media for the CODESYS controller runtime system. For more details, see the descriptions of the setting “FilePath” and “PlaceholderFilePath” in the CODESYS Control runtime system documentation.
This vulnerability is only relevant if the controller has a slot for removable media (other than the one used for the boot partition) and an attacker has physical access to the device. By connecting a removable media with a file system supporting symbolic links, that contains a symbolic link pointing to a directory outside the dedicated working directory, an authenticated attacker can bypass SysFile restrictions due to insufficient path validation and gain unauthorized access to the controller’s file system. The level of access (read or write) depends on the privileges of both the runtime process and the user account, which is used by the attacker to authenticate at the CODESYS Control system.
CODESYS Control runtime systems are only affected by the vulnerability if both of the following conditions are met:
This applies to all products based on the CODESYS Runtime Toolkit, regardless of whether they are supplied by CODESYS or another device manufacturer.
Following CODESYS Control products are affected by default to this vulnerability due to a preconfigured volatile PlaceholderFilePath for removable media:
All other CODESYS Control runtime products are not affected by the vulnerability in the default configuration. Note: CVE-2024-12429 describes a similar vulnerability that was originally reported for the products of an OEM customer.
Mitigation
Regardless of the vulnerability described here, CODESYS GmbH recommends that physical access to the controller should only be granted to authorized persons. Especially in the case of productive control systems, physical manipulation of the controller can affect the controlled machine or process. This generally recommended restriction of access also reduces the attack surface for this vulnerability, as its exploitation requires physical access.
To exploit this vulnerability, a successful login to the affected product is required. The online user management therefore protects from exploiting this security vulnerability. CODESYS GmbH strongly recommends using the online user management, which is enforced by default. This not only prevents from accessing the file system with malicious symbolic links, but also suppresses modifying the PLC application, or starting, stopping, debugging or other actions on a known working PLC application that could potentially disrupt a machine or system.
To fully mitigate this vulnerability, system administrators can restrict the use of removable media to devices that do not support symbolic links, such as FAT16 or FAT32. Since these file systems lack symbolic link functionality, this effectively prevents any symbolic link-based attacks.
Alternatively, remove PlaceHolderFilePath settings from the CODESYS Control configuration file, which point to removable media such as:
[SysFile]
PlaceholderFilePath.1=/media/usb, $USB$
Remediation
Update the following products to version 3.5.21.0.
Update the following products to version 4.16.0.0.
The release of version 4.16.0.0 is expected for June 2025.
If removable media is configured for the CODESYS Control runtime, make sure that any additional removable storage beyond the boot partition is set as volatile in the CODESYS Control configuration file with the entry "PlaceholderFilePath.<n>.Volatile=1". Then the fixed CODESYS Control runtime systems ensure that only configured/permitted paths can be accessed, even with a symbolic link on a removable media. Example:
[SysFile]
PlaceholderFilePath.1=/media/usb, $USB$
PlaceholderFilePath.1.View=1
PlaceholderFilePath.1.Volatile=1
The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download
CERT@VDE coordinated with CODESYS
Reporting: D. Blagojevic, S.Dietz and T. Weber from CyberDanube