CODESYS has released patches to address as many as 11 security flaws that, if successfully exploited, could result in information disclosure and a denial-of-service (DoS) condition, among others.
“These vulnerabilities are simple to exploit, and they can be successfully exploited to cause consequences such as sensitive information leakage, PLCs entering a severe fault state, and arbitrary code execution,” Chinese cybersecurity firm NSFOCUS said. “In combination with industrial scenarios on the field, these vulnerabilities could expose industrial production to stagnation, equipment damage, etc.”
Following responsible disclosure between September 2021 and January 2022, fixes were shipped by the German software company last week on June 23, 2022. Two of the bugs are rated as Critical, seven as High, and two as Medium in severity. The issues collectively affect the following products –
- CODESYS Development System prior to version V22.214.171.124
- CODESYS Gateway Client prior to version V126.96.36.199
- CODESYS Gateway Server prior to version V188.8.131.52
- CODESYS Web server prior to version V184.108.40.206
- CODESYS SP Realtime NT prior to version V220.127.116.11
- CODESYS PLCWinNT prior to version V18.104.22.168, and
- CODESYS Runtime Toolkit 32 bit full prior to version V22.214.171.124
Chief among the flaws are CVE-2022-31805 and CVE-2022-31806 (CVSS scores: 9.8), which relate to the cleartext use of passwords used to authenticate before carrying out operations on the PLCs and a failure to enable password protection by default in the CODESYS Control runtime system respectively.
Exploiting the weaknesses could not only allow a malicious actor to seize control of the target PLC device, but also download a rogue project to a PLC and execute arbitrary code.