VDE-2023-025
Vulnerability from csaf_codesysgmbh - Published: 2023-08-03 11:18 - Updated: 2023-08-03 11:18Summary
CODESYS: Control runtime system memory and integrity check vulnerabilities
Notes
Summary: The CODESYS Control V3 runtime system does not restrict the memory accesses of the PLC application code to the PLC application data and does not sufficiently check the integrity of the application code by default. This could be exploited by authenticated PLC programmers.
Impact: The CODESYS Control runtime system enables embedded or PC-based devices to be a programmable industrial controller. Control programs (PLC application code) can access local or remote IOs, communication interfaces such as serial or sockets, or the file system.
Mitigation: To exploit these vulnerabilities, a successful login to the affected product is required. The online user management therefore protects from exploiting these security vulnerabilities.
CODESYS GmbH strongly recommends using the online user management. This not only prevents from downloading malicious code or boot application files, but also suppresses starting, stopping, debugging or other actions on a known working application that could potentially disrupt a machine or system. As of version 3.5.17.0, the online user management is enforced by default.
In addition, the CODESYS Development System and the CODESYS Control runtime system support optional signing and encryption of the application code loaded on the controller. This feature also prevents the loading and execution of untrusted or modified boot files. If the application code security policy is set to "Enforced Signing", a modified or untrusted application will be detected due to a missing signature and will not be loaded and executed.
In CODESYS Control in multiple versions a improper restriction of operations within the bounds of a memory buffer allow an remote attacker with user privileges to gain full access of the device.
8.8 (High)
Mitigation
To exploit these vulnerabilities, a successful login to the affected product is required. The online user management therefore protects from exploiting these security vulnerabilities.
CODESYS GmbH strongly recommends using the online user management. This not only prevents from downloading malicious code or boot application files, but also suppresses starting, stopping, debugging or other actions on a known working application that could potentially disrupt a machine or system. As of version 3.5.17.0, the online user management is enforced by default.
In addition, the CODESYS Development System and the CODESYS Control runtime system support optional signing and encryption of the application code loaded on the controller. This feature also prevents the loading and execution of untrusted or modified boot files. If the application code security policy is set to "Enforced Signing", a modified or untrusted application will be detected due to a missing signature and will not be loaded and executed.
The PLC application code executed by the CODESYS Control Runtime contains a checksum. This enables the CODESYS development system to check at login whether its loaded project matches the PLC application code executed on the controller. This checksum is not sufficient to reliably detect PLC application code that has been modified in memory or boot application files that have been manipulated.
7.7 (High)
Mitigation
To exploit these vulnerabilities, a successful login to the affected product is required. The online user management therefore protects from exploiting these security vulnerabilities.
CODESYS GmbH strongly recommends using the online user management. This not only prevents from downloading malicious code or boot application files, but also suppresses starting, stopping, debugging or other actions on a known working application that could potentially disrupt a machine or system. As of version 3.5.17.0, the online user management is enforced by default.
In addition, the CODESYS Development System and the CODESYS Control runtime system support optional signing and encryption of the application code loaded on the controller. This feature also prevents the loading and execution of untrusted or modified boot files. If the application code security policy is set to "Enforced Signing", a modified or untrusted application will be detected due to a missing signature and will not be loaded and executed.
References
| URL | Category | |
|---|---|---|
Acknowledgments
CERT@VDE
certvde.com
Dragos Inc.
Reid Wightman
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
},
{
"names": [
"Reid Wightman"
],
"organization": "Dragos Inc.",
"summary": "reporting"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "The CODESYS Control V3 runtime system does not restrict the memory accesses of the PLC application code to the PLC application data and does not sufficiently check the integrity of the application code by default. This could be exploited by authenticated PLC programmers.",
"title": "Summary"
},
{
"category": "description",
"text": "The CODESYS Control runtime system enables embedded or PC-based devices to be a programmable industrial controller. Control programs (PLC application code) can access local or remote IOs, communication interfaces such as serial or sockets, or the file system.",
"title": "Impact"
},
{
"category": "description",
"text": "To exploit these vulnerabilities, a successful login to the affected product is required. The online user management therefore protects from exploiting these security vulnerabilities.\n\n\nCODESYS GmbH strongly recommends using the online user management. This not only prevents from downloading malicious code or boot application files, but also suppresses starting, stopping, debugging or other actions on a known working application that could potentially disrupt a machine or system. As of version 3.5.17.0, the online user management is enforced by default.\n\n\nIn addition, the CODESYS Development System and the CODESYS Control runtime system support optional signing and encryption of the application code loaded on the controller. This feature also prevents the loading and execution of untrusted or modified boot files. If the application code security policy is set to \"Enforced Signing\", a modified or untrusted application will be detected due to a missing signature and will not be loaded and executed.",
"title": "Mitigation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "security@codesys.com",
"name": "CODESYS GmbH",
"namespace": "https://www.codesys.com"
},
"references": [
{
"category": "self",
"summary": "VDE-2023-025: CODESYS: Control runtime system memory and integrity check vulnerabilities - HTML",
"url": "https://certvde.com/en/advisories/VDE-2023-025/"
},
{
"category": "self",
"summary": "VDE-2023-025: CODESYS: Control runtime system memory and integrity check vulnerabilities - CSAF",
"url": "https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2023/vde-2023-025.json"
},
{
"category": "external",
"summary": "Vendor PSIRT",
"url": "https://www.codesys.com"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for CODESYS GmbH",
"url": "https://certvde.com/en/advisories/vendor/codesys/"
}
],
"title": "CODESYS: Control runtime system memory and integrity check vulnerabilities",
"tracking": {
"aliases": [
"VDE-2023-025"
],
"current_release_date": "2023-08-03T11:18:00.000Z",
"generator": {
"date": "2025-04-23T09:11:49.978Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.23"
}
},
"id": "VDE-2023-025",
"initial_release_date": "2023-08-03T11:18:00.000Z",
"revision_history": [
{
"date": "2023-08-03T11:18:00.000Z",
"number": "1",
"summary": "Initial revision."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "CODESYS Control for BeagleBone SL vers:all/*",
"product_id": "CSAFPID-51001"
}
}
],
"category": "product_name",
"name": "CODESYS Control for BeagleBone SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "CODESYS Control for emPC-A/iMX6 SL vers:all/*",
"product_id": "CSAFPID-51002"
}
}
],
"category": "product_name",
"name": "CODESYS Control for emPC-A/iMX6 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "CODESYS Control for IOT2000 SL vers:all/*",
"product_id": "CSAFPID-51003"
}
}
],
"category": "product_name",
"name": "CODESYS Control for IOT2000 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "CODESYS Control for Linux SL vers:all/*",
"product_id": "CSAFPID-51004"
}
}
],
"category": "product_name",
"name": "CODESYS Control for Linux SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "CODESYS Control for PFC100 SL vers:all/*",
"product_id": "CSAFPID-51005"
}
}
],
"category": "product_name",
"name": "CODESYS Control for PFC100 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "CODESYS Control for PFC200 SL vers:all/*",
"product_id": "CSAFPID-51006"
}
}
],
"category": "product_name",
"name": "CODESYS Control for PFC200 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "CODESYS Control for PLCnext SL vers:all/*",
"product_id": "CSAFPID-51007"
}
}
],
"category": "product_name",
"name": "CODESYS Control for PLCnext SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "CODESYS Control for Raspberry Pi SL vers:all/*",
"product_id": "CSAFPID-51008"
}
}
],
"category": "product_name",
"name": "CODESYS Control for Raspberry Pi SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "CODESYS Control for WAGO Touch Panels 600 SL vers:all/*",
"product_id": "CSAFPID-51009"
}
}
],
"category": "product_name",
"name": "CODESYS Control for WAGO Touch Panels 600 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "CODESYS Control RTE (for Beckhoff CX) SL vers:all/*",
"product_id": "CSAFPID-510010"
}
}
],
"category": "product_name",
"name": "CODESYS Control RTE (for Beckhoff CX) SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "CODESYS Control RTE (SL) vers:all/*",
"product_id": "CSAFPID-510011"
}
}
],
"category": "product_name",
"name": "CODESYS Control RTE (SL)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "CODESYS Control Runtime System Toolkit vers:all/*",
"product_id": "CSAFPID-510012"
}
}
],
"category": "product_name",
"name": "CODESYS Control Runtime System Toolkit"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "CODESYS Control Win (SL) vers:all/*",
"product_id": "CSAFPID-510013"
}
}
],
"category": "product_name",
"name": "CODESYS Control Win (SL)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "CODESYS HMI (SL) vers:all/*",
"product_id": "CSAFPID-510014"
}
}
],
"category": "product_name",
"name": "CODESYS HMI (SL)"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "CODESYS"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008",
"CSAFPID-51009",
"CSAFPID-510010",
"CSAFPID-510011",
"CSAFPID-510012",
"CSAFPID-510013",
"CSAFPID-510014"
],
"summary": "Affected products."
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-4046",
"cwe": {
"id": "CWE-119",
"name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
},
"notes": [
{
"category": "description",
"text": "In CODESYS Control in multiple versions a improper restriction of operations within the bounds of a memory buffer allow an remote attacker with user privileges to gain full access of the device.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008",
"CSAFPID-51009",
"CSAFPID-510010",
"CSAFPID-510011",
"CSAFPID-510012",
"CSAFPID-510013",
"CSAFPID-510014"
]
},
"remediations": [
{
"category": "mitigation",
"details": "To exploit these vulnerabilities, a successful login to the affected product is required. The online user management therefore protects from exploiting these security vulnerabilities.\n\n\nCODESYS GmbH strongly recommends using the online user management. This not only prevents from downloading malicious code or boot application files, but also suppresses starting, stopping, debugging or other actions on a known working application that could potentially disrupt a machine or system. As of version 3.5.17.0, the online user management is enforced by default.\n\n\nIn addition, the CODESYS Development System and the CODESYS Control runtime system support optional signing and encryption of the application code loaded on the controller. This feature also prevents the loading and execution of untrusted or modified boot files. If the application code security policy is set to \"Enforced Signing\", a modified or untrusted application will be detected due to a missing signature and will not be loaded and executed.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008",
"CSAFPID-51009",
"CSAFPID-510010",
"CSAFPID-510011",
"CSAFPID-510012",
"CSAFPID-510013",
"CSAFPID-510014"
]
}
],
"title": "CVE-2022-4046"
},
{
"cve": "CVE-2023-28355",
"cwe": {
"id": "CWE-354",
"name": "Improper Validation of Integrity Check Value"
},
"notes": [
{
"category": "description",
"text": "The PLC application code executed by the CODESYS Control Runtime contains a checksum. This enables the CODESYS development system to check at login whether its loaded project matches the PLC application code executed on the controller. This checksum is not sufficient to reliably detect PLC application code that has been modified in memory or boot application files that have been manipulated.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008",
"CSAFPID-51009",
"CSAFPID-510010",
"CSAFPID-510011",
"CSAFPID-510012",
"CSAFPID-510013",
"CSAFPID-510014"
]
},
"remediations": [
{
"category": "mitigation",
"details": "To exploit these vulnerabilities, a successful login to the affected product is required. The online user management therefore protects from exploiting these security vulnerabilities.\n\n\nCODESYS GmbH strongly recommends using the online user management. This not only prevents from downloading malicious code or boot application files, but also suppresses starting, stopping, debugging or other actions on a known working application that could potentially disrupt a machine or system. As of version 3.5.17.0, the online user management is enforced by default.\n\n\nIn addition, the CODESYS Development System and the CODESYS Control runtime system support optional signing and encryption of the application code loaded on the controller. This feature also prevents the loading and execution of untrusted or modified boot files. If the application code security policy is set to \"Enforced Signing\", a modified or untrusted application will be detected due to a missing signature and will not be loaded and executed.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.7,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"temporalScore": 7.7,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008",
"CSAFPID-51009",
"CSAFPID-510010",
"CSAFPID-510011",
"CSAFPID-510012",
"CSAFPID-510013",
"CSAFPID-510014"
]
}
],
"title": "CVE-2023-28355"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…