Cybersecurity researchers on Thursday disclosed as many as ten critical vulnerabilities impacting CODESYS automation software that could be exploited to remote code execution on programmable logic controllers (PLCs).
“To exploit the vulnerabilities, an attacker does not need a username or password; having network access to the industrial controller is enough,” researchers from Positive Technologies said. “The main cause of the vulnerabilities is insufficient verification of input data, which may itself be caused by failure to comply with the secure development recommendations.”
The Russian cybersecurity firm noted that it detected the vulnerabilities on a PLC offered by WAGO, which, among other automation technology companies such as Beckhoff, Kontron, Moeller, Festo, Mitsubishi, and HollySys, use CODESYS software for programming and configuring the controllers.
CODESYS offers a development environment for programming controller applications for use in industrial control systems. The German software company credited Vyacheslav Moskvin, Denis Goryushev, Anton Dorfman, Ivan Kurnakov, and Sergey Fedonin of Positive Technologies and Yossi Reuven of SCADAfence for reporting the flaws.
Six of the most severe flaws were identified in the CODESYS V2.3 web server component used by CODESYS WebVisu to visualize a human-machine interface (HMI) in a web browser. The vulnerabilities could potentially be leveraged by an adversary to send specially-crafted web server requests to trigger a denial-of-service condition, write or read arbitrary code to and from a control runtime system’s memory, and even crash the CODESYS web server.
images from Hacker News