A low privileged attacker with physical access to a controller, that supports removable media and is running a CODESYS Control runtime system, can exploit the insufficient path validation by connecting removable media with a file system supporting symbolic links. This could allow the attacker to bypass SysFile restrictions and gain unauthorized access to the entire file system.

The OPC UA security policy Basic128Rsa15 is vulnerable against attacks on the private key. This can lead to loss of confidentiality or authentication bypass. The CODESYS OPC UA server is not affected in the default configuration. However, the affected policy may be enabled by a customer configuration.

The CODESYS Gateway enables communication between CODESYS runtimes and other clients, primarily the CODESYS Development System V3. It is usually installed as a part of the CODESYS Development System V3 setup and accessed locally by the CODESYS Development System. Due to an insecure standard configuration of the CODESYS Gateway, it is not only accessible locally, but also remotely by default.

The CODESYS Key USB dongle, which is based on WIBU CodeMeter technology, is affected by a physical side-channel vulnerability.

The CODESYS web server component of the CODESYS Control runtime system is used by the CODESYS WebVisu to display visualization screens in a web browser. Receiving a specifically crafted TLS packet on an HTTPS connection causes the CODESYS web server to crash because the return value of an underlying function is not checked correctly for such unusual conditions.

Update: Further software update available

The OSCAT Basic library is one of several libraries developed and provided by OSCAT. OSCAT (oscat.de) stands for "Open Source Community for Automation Technology".

The OSCAT Basic library offers function blocks for various tasks, e.g. for buffer management, list processing, control technology, mathematics, string processing, time and date conversion. By adding the OSCAT Basic library into IEC 61131-3-compliant programming tools, PLC programmers can use all the functions provided by the library in their control programs.

Within the library, the MONTH_TO_STRING function is affected by an out-of-bounds read vulnerability. Exploitation of the vulnerability may lead to limited access to internal data or possibly to a crash of the PLC.

All legitimate local Microsoft Windows users can read or modify files that are located in the working directory of the affected CODESYS products, even if they are executed under a different user or in the system context.

Update: Remediation has been adjusted

The CODESYS OPC UA stack of the CODESYS Control runtime system may incorrectly calculate the required buffer size for received requests/responses. This can lead to a crash of the CODESYS runtime system during the subsequent initialization of the receive buffer with zero.

Update: 10.07.2024 In the Remediation section, the release date of the update has been deleted as the update is now available.