Ten vulnerabilities discovered in Codesys control software
Russian cyber-security experts have discovered ten vulnerabilities – some of them rated as critical – in the Codesys 2 industrial control software used as the basis for the firmware in controllers from 15 manufacturers, including Beckhoff, Kontron, Festo and Mitsubishi. The German-based developer, Codesys, has released a software update to fix the vulnerabilities and has issued advisory notices for the three software components affected.
The vulnerabilities were identified by the cyber-security specialist, Positive Technologies. It found them first in a Wago 750-8207 PLC (which is a discontinued product). The researchers informed Wago, which passed the information on Codesys.
Some of these vulnerabilities were rated as 10 out of 10 – or “extremely dangerous”, according to Positive Technologies’ head of ICS security, Vladimir Nazarov. “Their exploitation can lead to remote command execution on PLC, which may disrupt technological processes and cause industrial accidents and economic losses.”
To exploit the vulnerabilities, an attacker would not need a user name or password; having network access to the controller would be enough. According to the researchers, the main cause of the vulnerabilities is insufficient verification of input data, which may itself be caused by failure to comply with secure development recommendations.
The potentially most dangerous problems were found in the Codesys V2.3 Web server component, which is used for HMI displays in Web browsers. Multiple vulnerabilities discovered in this component have received a CVSS (Common Vulnerability Scoring System) 3.0 score of 10 – the highest possible.
Other vulnerabilities, rated at 8.8, were found in the Codesys Control V2 communication runtime system, which allows embedded PC systems to be used as programmable controllers.
A final vulnerability, with a rating of 5.3, was discovered in Codesys’ Control V2 Linux SysFile library. This vulnerability can be used to call additional PLC functions using the SysFile system library. Attackers could, for example, delete some files and potentially disrupt particular processes.
Codesys software is used in controllers from more than a dozen different manufacturers
To eliminate the vulnerabilities, users are advised to follow the recommendations in the Codesys advisories. If it is impossible to install an update, they should look for signs of penetration by using systems for monitoring security and managing cybersecurity incidents, such as PT Industrial Security Incident Manager.
In its three advisory notices, Codesys rates the severity of the vulnerabilities as ranging from medium to critical. It adds that it is not aware of any public exploits specifically targeting the vulnerabilities.
Codesys, which employs about 200 people in Germany, China, Italy and the US, has a customer base of more than 400 manufacturers of programmable automation components.