Serious Vulnerabilities Found in CODESYS Software Used by Many ICS Products

Researchers at Russian cybersecurity company Positive Technologies have recently identified some vulnerabilities in various products made by CODESYS. They initially found the flaws in a programmable logic controller (PLC) made by WAGO, but later analysis showed that the issues were actually introduced by CODESYS software which is used by more than a dozen manufacturers for their PLCs, including Beckhoff, Kontron, Moeller, Festo, Mitsubishi, HollySys and several Russian firms.

The vulnerabilities can be exploited to remote code execution on programmable logic controllers (PLCs).  “The main cause of the vulnerabilities is insufficient verification of input data, which may itself be caused by failure to comply with the secure development recommendations”, as stated by researchers.

Six of the vulnerabilities have been rated critical and they can be exploited using specially crafted requests for remote code execution or to crash the system. The three flaws rated high severity can be leveraged for DoS attacks or remote code execution using specially crafted requests. The remaining security bug has been rated medium severity and it can be exploited to disrupt targeted systems.

Six of the most severe flaws were identified in the CODESYS V2.3 web server component used by CODESYS WebVisu to visualize a human-machine interface (HMI) in a web browser. The vulnerabilities could potentially be leveraged by an adversary to send specially-crafted web server requests to trigger a denial-of-service condition, write or read arbitrary code to and from a control runtime system’s memory, and even crash the CODESYS web server.

All the six bugs have been rated 10 out of 10 on the CVSS scale —

CVE-2021-30189 – Stack-based Buffer Overflow

CVE-2021-30190 – Improper Access Control

CVE-2021-30191 – Buffer Copy without Checking Size of Input

CVE-2021-30192 – Improperly Implemented Security Check

CVE-2021-30193 – Out-of-bounds Write

CVE-2021-30194 – Out-of-bounds Read

Separately, three other weaknesses (CVSS scores: 8.8) disclosed in the Control V2 runtime system could be abused to craft malicious requests that may result in a denial-of-service condition or being utilized for remote code execution.

CVE-2021-30186 – Heap-based Buffer Overflow

CVE-2021-30188 – Stack-based Buffer Overflow

CVE-2021-30195 – Improper Input Validation

Lastly, a flaw found in the CODESYS Control V2 Linux SysFile library (CVE-2021-30187, CVSS score: 5.3) could be used to call additional PLC functions, in turn allowing a bad actor to delete files and disrupt critical processes.

Remediation:

CODESYS has released updates for its CODESYS V2 web server, Runtime Toolkit and PLCWinNT products to address the vulnerabilities. The vendor has published separate advisories for the critical-, high- and medium-severity issues, and advises customers to install the updates.