Cybersecurity researchers disclosed up to 10 critical vulnerabilities affecting CODESYS automation software on Thursday, which can be used to implement remote code execution on programmable logic controllers (PLCs).
"To exploit these vulnerabilities, the attacker does not need a username or password; it is sufficient to have network access to the industrial controller," said a researcher at Positive Technologies. "The main cause of the vulnerability is insufficient verification of the input data, which itself may be caused by failure to comply with the security development recommendations."
The Russian cybersecurity company pointed out that it detected vulnerabilities on the PLC provided by WAGO. The company used CODESYS software to program and configure the controller along with other automation technology companies such as Beckhoff, Kontron, Moeller, Festo, Mitsubishi, and HollySys.
CODESYS provides a development environment for programming controller applications used in industrial control systems. The German software company believes that Vyacheslav Moskvin, Denis Goryushev, Anton Dorfman, Ivan Kurnakov and Sergey Fedonin of Positive Technologies, and Yossi Reuven of SCADAfence have reported these defects.
Six of the most serious flaws were found in the CODESYS V2.3 Web server component used by CODESYS WebVisu, which is used to visualize the Human Machine Interface (HMI) in a Web browser. Attackers may use these vulnerabilities to send specially crafted Web server requests to trigger denial of service conditions, write or read arbitrary code in the memory of the control runtime system, or even crash the CODESYS Web server.
On the CVSS scale, all 6 errors were rated 10 points (out of 10 points)——
In addition, the other three weaknesses (CVSS score: 8.8) disclosed in the Control V2 runtime system may be abused to make malicious requests that may lead to denial of service conditions or be used for remote code execution.
Finally, a defect found in the CODESYS Control V2 Linux SysFile library (CVE-2021-30187, CVSS score: 5.3) can be used to call additional PLC functions, thereby allowing criminals to delete files and disrupt critical processes.
CODESYS warned in its announcement: "Inskilled attackers will be able to exploit these vulnerabilities," adding that it has not found known public vulnerabilities specifically targeting them.
Vladimir Nazarov, head of security at Positive Technologies ICS, said: “Their use may lead to remote execution of commands on the PLC, which may disrupt technical processes and cause industrial accidents and economic losses.” “The most notorious example of exploiting similar vulnerabilities is the use of Stuxnet."
The disclosure of the CODESYS vulnerability followed the similar issues resolved in Siemens SIMATIC S7-1200 and S7-1500 PLCs.
Sign up for the cybersecurity newsletter to send the latest news updates directly to your inbox every day.