VDE-2023-066
Vulnerability from csaf_codesysgmbh - Published: 2023-12-05 14:25 - Updated: 2023-12-05 14:25Summary
CODESYS: OS Command Injection Vulnerability in multiple CODESYS Control products
Notes
Summary: UPDATE 29.02.2024: Removed "This version is planned for January 2024." from Solution as the updated version is released.On CODESYS Control runtimes running on Linux or QNX operating systems, successfully authenticated PLC programmers can utilize SysFile or CAA-File system libraries to inject calls to additional shell functions.
Impact: The CODESYS Control runtime system enables embedded or PC-based devices to be a programmable industrial controller. Control programs can access local or remote IOs, communication interfaces such as serial ports or sockets, and local system functions such as the file system, the real-time clock and other OS functions. A successfully authenticated control programmer could exploit this vulnerability to inject calls to additional operating system shell functions via the SysFile or CAA file system libraries.Only CODESYS Control runtime systems running on Linux or QNX operating systems are affected by this vulnerability.
Mitigation: To exploit this vulnerability, a successful login with according user rights to download a PLC application is required. The online user management therefore protects from exploiting this security vulnerability.
CODESYS GmbH strongly recommends using the online user management. This not only prevents an attacker from downloading virulent code or sending malicious requests, but also suppresses starting, stopping, debugging or other actions on a known working application that could potentially disrupt a machine or system. As of version 3.5.17.0, the online user management is enforced by default.
Remediation: Update the following products to version 3.5.19.50:
• CODESYS Runtime Toolkit
Update the following products to version 4.11.0.0.
• CODESYS Control for BeagleBone SL
• CODESYS Control for emPC-A/iMX6 SL
• CODESYS Control for IOT2000 SL
• CODESYS Control for Linux ARM SL
• CODESYS Control for Linux SL
• CODESYS Control for PFC100 SL
• CODESYS Control for PFC200 SL
• CODESYS Control for PLCnext SL
• CODESYS Control for Raspberry Pi SL
• CODESYS Control for WAGO Touch Panels 600 SL
The products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store.
Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area.
A low-privileged remote attacker could exploit the vulnerability and inject additional system commands via file system libraries which could give the attacker full control of the device.
8.8 (High)
Mitigation
To exploit this vulnerability, a successful login with according user rights to download a PLC application is required. The online user management therefore protects from exploiting this security vulnerability.
CODESYS GmbH strongly recommends using the online user management. This not only prevents an attacker from downloading virulent code or sending malicious requests, but also suppresses starting, stopping, debugging or other actions on a known working application that could potentially disrupt a machine or system. As of version 3.5.17.0, the online user management is enforced by default.
Vendor Fix
Update the following products to version 3.5.19.50:
• CODESYS Runtime Toolkit
Update the following products to version 4.11.0.0.
• CODESYS Control for BeagleBone SL
• CODESYS Control for emPC-A/iMX6 SL
• CODESYS Control for IOT2000 SL
• CODESYS Control for Linux ARM SL
• CODESYS Control for Linux SL
• CODESYS Control for PFC100 SL
• CODESYS Control for PFC200 SL
• CODESYS Control for PLCnext SL
• CODESYS Control for Raspberry Pi SL
• CODESYS Control for WAGO Touch Panels 600 SL
The products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store.
Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area.
References
| URL | Category | |
|---|---|---|
Acknowledgments
CERT@VDE
certvde.com
00One, Inc. to JPCERT/CC
Chuya Hayakawa
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
},
{
"names": [
"Chuya Hayakawa"
],
"organization": "00One, Inc. to JPCERT/CC",
"summary": "reporting"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "UPDATE 29.02.2024: Removed \"This version is planned for January 2024.\" from Solution as the updated version is released.On CODESYS Control runtimes running on Linux or QNX operating systems, successfully authenticated PLC programmers can utilize SysFile or CAA-File system libraries to inject calls to additional shell functions.",
"title": "Summary"
},
{
"category": "description",
"text": "The CODESYS Control runtime system enables embedded or PC-based devices to be a programmable industrial controller. Control programs can access local or remote IOs, communication interfaces such as serial ports or sockets, and local system functions such as the file system, the real-time clock and other OS functions. A successfully authenticated control programmer could exploit this vulnerability to inject calls to additional operating system shell functions via the SysFile or CAA file system libraries.Only CODESYS Control runtime systems running on Linux or QNX operating systems are affected by this vulnerability.",
"title": "Impact"
},
{
"category": "description",
"text": "To exploit this vulnerability, a successful login with according user rights to download a PLC application is required. The online user management therefore protects from exploiting this security vulnerability.\nCODESYS GmbH strongly recommends using the online user management. This not only prevents an attacker from downloading virulent code or sending malicious requests, but also suppresses starting, stopping, debugging or other actions on a known working application that could potentially disrupt a machine or system. As of version 3.5.17.0, the online user management is enforced by default.",
"title": "Mitigation"
},
{
"category": "description",
"text": "Update the following products to version 3.5.19.50: \n\n\u2022 CODESYS Runtime Toolkit \n\nUpdate the following products to version 4.11.0.0.\u00a0 \n\n\u2022 CODESYS Control for BeagleBone SL \n\u2022 CODESYS Control for emPC-A/iMX6 SL \n\u2022 CODESYS Control for IOT2000 SL \n\u2022 CODESYS Control for Linux ARM SL \n\u2022 CODESYS Control for Linux SL \n\u2022 CODESYS Control for PFC100 SL\n\u2022 CODESYS Control for PFC200 SL \n\u2022 CODESYS Control for PLCnext SL \n\u2022 CODESYS Control for Raspberry Pi SL \n\u2022 CODESYS Control for WAGO Touch Panels 600 SL\n\nThe products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store.\nAlternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area.",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "security@codesys.com",
"name": "CODESYS GmbH",
"namespace": "https://www.codesys.com"
},
"references": [
{
"category": "self",
"summary": "VDE-2023-066: CODESYS: OS Command Injection Vulnerability in multiple CODESYS Control products - HTML",
"url": "https://certvde.com/en/advisories/VDE-2023-066/"
},
{
"category": "self",
"summary": "VDE-2023-066: CODESYS: OS Command Injection Vulnerability in multiple CODESYS Control products - CSAF",
"url": "https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2023/vde-2023-066.json"
},
{
"category": "external",
"summary": "Vendor PSIRT",
"url": "https://www.codesys.com"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for CODESYS GmbH",
"url": "https://certvde.com/en/advisories/vendor/codesys/"
}
],
"title": "CODESYS: OS Command Injection Vulnerability in multiple CODESYS Control products",
"tracking": {
"aliases": [
"VDE-2023-066"
],
"current_release_date": "2023-12-05T14:25:00.000Z",
"generator": {
"date": "2025-04-24T07:28:50.264Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.23"
}
},
"id": "VDE-2023-066",
"initial_release_date": "2023-12-05T14:25:00.000Z",
"revision_history": [
{
"date": "2023-12-05T14:25:00.000Z",
"number": "1",
"summary": "Initial revision."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.11.0.0",
"product": {
"name": "CODESYS Control for BeagleBone SL \u003c4.11.0.0",
"product_id": "CSAFPID-51001"
}
},
{
"category": "product_version",
"name": "4.11.0.0",
"product": {
"name": "CODESYS Control for BeagleBone SL 4.11.0.0",
"product_id": "CSAFPID-52001"
}
}
],
"category": "product_name",
"name": "CODESYS Control for BeagleBone SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.11.0.0",
"product": {
"name": "CODESYS Control for emPC-A/iMX6 SL \u003c4.11.0.0",
"product_id": "CSAFPID-51002"
}
},
{
"category": "product_version",
"name": "4.11.0.0",
"product": {
"name": "CODESYS Control for emPC-A/iMX6 SL 4.11.0.0",
"product_id": "CSAFPID-52002"
}
}
],
"category": "product_name",
"name": "CODESYS Control for emPC-A/iMX6 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.11.0.0",
"product": {
"name": "CODESYS Control for IOT2000 SL \u003c4.11.0.0",
"product_id": "CSAFPID-51003"
}
},
{
"category": "product_version",
"name": "4.11.0.0",
"product": {
"name": "CODESYS Control for IOT2000 SL 4.11.0.0",
"product_id": "CSAFPID-52003"
}
}
],
"category": "product_name",
"name": "CODESYS Control for IOT2000 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.11.0.0",
"product": {
"name": "CODESYS Control for Linux ARM SL \u003c4.11.0.0",
"product_id": "CSAFPID-51004"
}
},
{
"category": "product_version",
"name": "4.11.0.0",
"product": {
"name": "CODESYS Control for Linux ARM SL 4.11.0.0",
"product_id": "CSAFPID-52004"
}
}
],
"category": "product_name",
"name": "CODESYS Control for Linux ARM SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.11.0.0",
"product": {
"name": "CODESYS Control for Linux SL \u003c4.11.0.0",
"product_id": "CSAFPID-51005"
}
},
{
"category": "product_version",
"name": "4.11.0.0",
"product": {
"name": "CODESYS Control for Linux SL 4.11.0.0",
"product_id": "CSAFPID-52005"
}
}
],
"category": "product_name",
"name": "CODESYS Control for Linux SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.11.0.0",
"product": {
"name": "CODESYS Control for PFC100 SL \u003c4.11.0.0",
"product_id": "CSAFPID-51006"
}
},
{
"category": "product_version",
"name": "4.11.0.0",
"product": {
"name": "CODESYS Control for PFC100 SL 4.11.0.0",
"product_id": "CSAFPID-52006"
}
}
],
"category": "product_name",
"name": "CODESYS Control for PFC100 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.11.0.0",
"product": {
"name": "CODESYS Control for PFC200 SL \u003c4.11.0.0",
"product_id": "CSAFPID-51007"
}
},
{
"category": "product_version",
"name": "4.11.0.0",
"product": {
"name": "CODESYS Control for PFC200 SL 4.11.0.0",
"product_id": "CSAFPID-52007"
}
}
],
"category": "product_name",
"name": "CODESYS Control for PFC200 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.11.0.0",
"product": {
"name": "CODESYS Control for PLCnext SL \u003c4.11.0.0",
"product_id": "CSAFPID-51008"
}
},
{
"category": "product_version",
"name": "4.11.0.0",
"product": {
"name": "CODESYS Control for PLCnext SL 4.11.0.0",
"product_id": "CSAFPID-52008"
}
}
],
"category": "product_name",
"name": "CODESYS Control for PLCnext SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.11.0.0",
"product": {
"name": "CODESYS Control for Raspberry Pi SL \u003c4.11.0.0",
"product_id": "CSAFPID-51009"
}
},
{
"category": "product_version",
"name": "4.11.0.0",
"product": {
"name": "CODESYS Control for Raspberry Pi SL 4.11.0.0",
"product_id": "CSAFPID-52009"
}
}
],
"category": "product_name",
"name": "CODESYS Control for Raspberry Pi SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.11.0.0",
"product": {
"name": "CODESYS Control for WAGO Touch Panels 600 SL \u003c4.11.0.0",
"product_id": "CSAFPID-510010"
}
},
{
"category": "product_version",
"name": "4.11.0.0",
"product": {
"name": "CODESYS Control for WAGO Touch Panels 600 SL 4.11.0.0",
"product_id": "CSAFPID-520010"
}
}
],
"category": "product_name",
"name": "CODESYS Control for WAGO Touch Panels 600 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c3.5.19.50",
"product": {
"name": "CODESYS Runtime Toolkit for Linux or QNX \u003c3.5.19.50",
"product_id": "CSAFPID-510011"
}
},
{
"category": "product_version",
"name": "3.5.19.50",
"product": {
"name": "CODESYS Runtime Toolkit for Linux or QNX 3.5.19.50",
"product_id": "CSAFPID-520011"
}
}
],
"category": "product_name",
"name": "CODESYS Runtime Toolkit for Linux or QNX"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "CODESYS"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008",
"CSAFPID-51009",
"CSAFPID-510010",
"CSAFPID-510011"
],
"summary": "Affected products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004",
"CSAFPID-52005",
"CSAFPID-52006",
"CSAFPID-52007",
"CSAFPID-52008",
"CSAFPID-52009",
"CSAFPID-520010",
"CSAFPID-520011"
],
"summary": "Fixed products."
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-6357",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "description",
"text": "A low-privileged remote attacker could exploit the vulnerability and inject additional system commands via file system libraries which could give the attacker full control of the device.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004",
"CSAFPID-52005",
"CSAFPID-52006",
"CSAFPID-52007",
"CSAFPID-52008",
"CSAFPID-52009",
"CSAFPID-520010",
"CSAFPID-520011"
],
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008",
"CSAFPID-51009",
"CSAFPID-510010",
"CSAFPID-510011"
]
},
"remediations": [
{
"category": "mitigation",
"details": "To exploit this vulnerability, a successful login with according user rights to download a PLC application is required. The online user management therefore protects from exploiting this security vulnerability.\nCODESYS GmbH strongly recommends using the online user management. This not only prevents an attacker from downloading virulent code or sending malicious requests, but also suppresses starting, stopping, debugging or other actions on a known working application that could potentially disrupt a machine or system. As of version 3.5.17.0, the online user management is enforced by default.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update the following products to version 3.5.19.50: \n\n\u2022 CODESYS Runtime Toolkit \n\nUpdate the following products to version 4.11.0.0.\u00a0 \n\n\u2022 CODESYS Control for BeagleBone SL \n\u2022 CODESYS Control for emPC-A/iMX6 SL \n\u2022 CODESYS Control for IOT2000 SL \n\u2022 CODESYS Control for Linux ARM SL \n\u2022 CODESYS Control for Linux SL \n\u2022 CODESYS Control for PFC100 SL\n\u2022 CODESYS Control for PFC200 SL \n\u2022 CODESYS Control for PLCnext SL \n\u2022 CODESYS Control for Raspberry Pi SL \n\u2022 CODESYS Control for WAGO Touch Panels 600 SL\n\nThe products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store.\nAlternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008",
"CSAFPID-51009",
"CSAFPID-510010",
"CSAFPID-510011"
]
}
],
"title": "CVE-2023-6357"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…