Automation software CODESYS has been newly found with as many as ten critical vulnerabilities that can primarily impact the platform in a remote code execution scenario on PLCs.
Critical bugs in CODESYS:
Security experts from Positive Technologies have detected these vulnerabilities in CODESYS and have provided that to abuse the security flaws, threat actors do not require usernames or passwords. The only prerequisite is access to the network of the industrial controller.
The vulnerabilities were discovered on a PLC (Programmable Logic Controller) offered by WAGO electric components manufacturer, which employs the CODESYS software for programming and configuring controllers.
The vulnerabilities have been attributed to inadequate verification of input data, which might itself be caused by the failure to comply with the secure development recommendations.
The CODESYS security flaws:
Out of the ten security vulnerabilities detected within CODESYS, six of the most critical ones were found in the CODESYS V2.3 web server element, the element is utilized by the CODESYS WebVisu to visualize a human-machine interface in a web browser.
The six vulnerabilities have all scored a critical 10/10 on the CVSS scale and have the potential to be exploited by malicious actors to intercept peculiarly architectured web server requests to trigger a DoS i.e denial-of-service condition, write or read arbitrary code to and from a control runtime system’s memory, and even crash the automation software web server.
The following lists provided the six 10/10 CVSS security flaws in CODESYS:
- CVE-2021-30189 – Stack-based Buffer Overflow
- CVE-2021-30190 – Improper Access Control
- CVE-2021-30191 – Buffer Copy without Checking Size of Input
- CVE-2021-30192 – Improperly Implemented Security Check
- CVE-2021-30193 – Out-of-bounds Write
- CVE-2021-30194 – Out-of-bounds Read
Three of these ten vulnerabilities were found in the Control V2 and have a score of 8.8 on the CVSS scale. The vulnerabilities are as follows:
- CVE-2021-30186 – Heap-based Buffer Overflow
- CVE-2021-30188 – Stack-based Buffer Overflow
- CVE-2021-30195 – Improper Input Validation
The final security flaw, tracked as CVE-2021-30187, was persistent in the CODESYS Control V2 Linux SysFile library, has a 5.3 rating, and can be exploited to call supplementary PLC functions, thereby permitting malicious entities to delete files or compromise critical processes.
Impact of the vulnerabilities:
“Their exploitation can lead to remote command execution on PLC, which may disrupt technological processes and cause industrial accidents and economic losses,” said Vladimir Nazarov, Head of ICS Security at Positive Technologies. “The most notorious example of exploiting similar vulnerabilities is by using Stuxnet.”
CODESYS has also alerted of these vulnerabilities in their security advisory noting that an attacker with low skills would be able to exploit them.
Currently, however, no cases of public exploitation of the CODESYS vulnerabilities have been reported.