Focus on source code security, collect the latest information at home and abroad!
Compile: Code Guard
There are 16 high-severity vulnerabilities in the CODESYS V3 software development kit (SDK), which under certain conditions can lead to remote code execution and denial of service consequences, which pose a risk to operational technology (OT) environments.
The IEC 61131-3 standard mentions that more than 500 equipment manufacturers worldwide use CODESYS V3 SKD to program in more than 1000 PLC models to develop custom automation sequences. The SDK also provides a Windows management interface and an emulator, enabling users to test the PLC's configuration and programming before deploying into a production environment.
These vulnerabilities, numbered from CVE-2022-47378 to CVE-2022-47393, are collectively referred to as CoDe16 and have a CVSS score of 8.8. CVE-2022-47391 has a severity of 7.5. Of these vulnerabilities, 12 were buffer overflow vulnerabilities.
Vladimir Tokarev, a member of Microsoft's threat intelligence community, mentioned in the report, "These vulnerabilities affect all V3 versions before CODESYS 3.5.19.0, which can put OT infrastructure at risk, such as remote code execution and denial of service." Although successfully exploited Requiring user authentication and deep knowledge of CODESYS V3's proprietary protocols, the vulnerabilities could have serious consequences, shutting down critical automation processes and allowing malicious tampering. These remote code execution vulnerabilities can be used to install backdoors in OT devices and interfere with the operation of programmable logic controllers to steal information. "Exploitation of these vulnerabilities requires user authentication and bypasses Data Execution Prevention (DEP) mechanisms and ASLR used by these PLCs," Tokarev explained.
To bypass user authentication barriers, attackers exploit known vulnerabilities (CVE-2019-9013) to perform replay attacks on PLCs to steal credentials, and then exploit these vulnerabilities to trigger buffer overflow vulnerabilities and gain control over the device.
The vulnerability patch has been released in April 2023, and the related brief is as follows:
CVE-2022-47378: After successful authentication, a specifically crafted communication request with inconsistent content could cause the CmpFiletransfer component to internally read from an illegal address, resulting in a denial of service condition.
CVE-2022-47379: After successful authentication, certain crafted communication requests could cause the CmpApp component to write attacker-controlled data into memory, resulting in a denial of service condition, memory overwrite, or remote code execution consequences.
CVE-2022-47380 and CVE-2022-47381: After successful authentication, a specially crafted communication request could cause the CmpApp component to write victim-controlled data to the stack, resulting in a denial of service condition, memory overwrite, or remote code execution consequences.
CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47386, CVE-2022-47387, CVE-2022-47388, CVE-2022-47389, and CVE-2022-47390: successful authentication A specially crafted communication request can then cause the CmpTraceMgr component to write attacker-controlled data to the stack, resulting in a denial of service condition, memory overwrite, or remote code execution consequences.
CVE-2022-47385: A specially crafted communication request could cause affected products to perform internal reads from illegal addresses, potentially resulting in a denial of service condition.
CVE-2022-47392: After successful authentication, a specially crafted communication request with inconsistent content could cause the CmpApp/CmpAppBP/CmpAppForce component to perform an internal read from an invalid address, resulting in a denial of service condition.
CVE-2022-47393: After successful authentication, a specially crafted communication request could cause the CmpFiletransfer component to dereference the address provided by the request, enforcing internal read access, resulting in a denial of service condition.
“CODESYS is used by many vendors, and a single vulnerability can affect many sectors, device types, and industry verticals, not to mention many vulnerabilities,” said Tokarev. “Threat actors can use a vulnerable version of CODESYS to launch a DoS attack on a device, Shut down industrial operations or exploit these RCE vulnerabilities to deploy backdoors to steal sensitive data, tamper with operations, or force PLCs to behave in dangerous ways."
Code Guard Trial Address: https://codesafe.qianxin.com
Open source guard trial address: https://oss.qianxin.com
recommended reading
CODESYS Industrial Automation Software Has Multiple Critical Flaws
Original link
https://thehackernews.com/2023/08/15-new-codesys-sdk-flaws-expose-ot.html
Title image: Pixabay License
This article was compiled by Qi Anxin and does not represent the views of Qi Anxin. Please indicate "Reprinted from Qi Anxin Code Guard https://codesafe.qianxin.com".
Qi Anxin code guard (codesafe)
The first domestic product line focusing on software development security.
If you feel good, just click "Looking" or "Like"~