In the programming tool for CoDeSys V3 industrial controllers, the German company 3S-Smart Software Solutions GmbH found critical vulnerability that could allow an attacker to cause a denial of service condition, remotely execute any code, or gain access to any file.
The error is contained in the optional component CmpWebServer and affects all firmware versions up to and including 3.5.12.80.The vulnerability, which was assigned the identifier CVE-2019-13548, received the maximum rating of 10 points on the CVSS v3 scale.
Such a high level of danger is associated with the fact that its operation does not require special skills or local access to the system. At the same time, objects of potential attack are used in critical industries and are very popular. So, integrated controllers with CoDeSys are used to automate a variety of technological processes in large and small enterprises – for example, in foundry and rolling machines, woodworking machines, assembly machines, as well as in cranes, excavators and dump trucks.
“The error is related to web rendering, so all affected PLCs support the web server. Specially created http or https requests can cause a buffer overflow on the stack, which will allow access to files outside the controller’s working directory. Because the web server is part of the CoDeSys runtime support system, this can lead to unexpected behavior of the entire runtime system. ”, – stated in the official report on the vulnerability.
It is reported that Ivan Cheyrezy of Schneider Electric discovered a security was discovered. He informed the manufacturer about this, which, in turn, issued a number of updates.
It should be noted that along with information about CVE-2019-13548, information appeared about four other vulnerabilities found in the CoDeSys product line.
One of them, CVE-2019-13538, is rated at 8.6 on a CVSS v3 scale. It is contained in the library manager and allows local access to the system to conduct an XSS attack and execute active malicious content embedded in the library. Another bug, CVE-2019-9008, received 8.8 points. It arose because of the incorrect distribution of access rights in the hierarchy of objects and allows obtaining permission after entering the system for a subobject that is not provided for by the set of privileges of the current user.
Two other vulnerabilities could lead to a denial of service: CVE-2019-9009 due to an unhandled error, and CVE-2019-13542 through dereferencing a null pointer.
Recommendations:
Developers recommend using versions 3.5.14.10 and 3.5.15.0, since at the time of the release of firmware 3.5.12.80 they had not yet identified all the affected products.
Despite the fact that there is no data on the active exploitation of vulnerabilities, 3S-Smart Software Solutions recommends not to neglect the usual protection measures:
- minimize the interaction of industrial devices with the Network, use them only in a secure environment;
- use firewalls to isolate the control system from other networks;
- use VPN for remote access;
- use the password management function;
- restrict access to the development and management system both physically and by means of the operating system;
- use modern anti-virus solutions.