| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| 680052 | Motion controller PMCprimo C | all versions |
| 680053 | Motion controller PMCprimo C | all versions |
| 680054 | Motion controller PMCprimo C | all versions |
| 680055 | Motion controller PMCprimo C | all versions |
| 680062 | Motion controller PMCprimo C | all versions |
| 680063 | Motion controller PMCprimo C | all versions |
| 680064 | Motion controller PMCprimo C | all versions |
| 680065 | Motion controller PMCprimo C | all versions |
| 680162 | Motion controller PMCprimo C | all versions |
| 680163 | Motion controller PMCprimo C | all versions |
| 680164 | Motion controller PMCprimo C | all versions |
| 680165 | Motion controller PMCprimo C | all versions |
| 680172 | Motion controller PMCprimo C | all versions |
| 680173 | Motion controller PMCprimo C | all versions |
| 680174 | Motion controller PMCprimo C | all versions |
| 680175 | Motion controller PMCprimo C | all versions |
| 680182 | Motion controller PMCprimo C2.0 (plug-in card) | <= 03.07.00 |
| 680183 | Motion controller PMCprimo C2.0 (plug-in card) | <= 03.07.00 |
| 680184 | Motion controller PMCprimo C2.0 (plug-in card) | <= 03.07.00 |
| 680185 | Motion controller PMCprimo C2.0 (plug-in card) | <= 03.07.00 |
| 680192 | Motion controller PMCprimo C2.1 (housing version) | <= 03.07.00 |
| 680192(all versions) | Motion controller PMCprimo C2.1 (housing version) | <= 03.07.00 |
| 680193 | Motion controller PMCprimo C2.1 (housing version) | <= 03.07.00 |
| 680194 | Motion controller PMCprimo C2.1 (housing version) | <= 03.07.00 |
| 680195 | Motion controller PMCprimo C2.1 (housing version) | <= 03.07.00 |
| 680082 | Motion controller PMCprimo MC | <= 03.07.00 |
| 680083 | Motion controller PMCprimo MC | <= 03.07.00 |
| 680084 | Motion controller PMCprimo MC | <= 03.07.00 |
| 680085 | Motion controller PMCprimo MC | <= 03.07.00 |
| 265608 | Operator terminal/controller PMI 6 primo | all versions |
| 265613 | Operator terminal/controller PMI 6 primo | all versions |
| 264639 | Operator terminal/controller PMI 6 primo | all versions |
Several Pilz products use Versions V2 and V3 of the CODESYS runtime system from CODESYS GmbH, which enables the execution of IEC 61131-3 PLC programs. These runtime environments contain several vulnerabilities, which an attacker can exploit via the network. Successful exploitation of the vulnerabilities results in reduced availability and, in a worst case, to the insertion of program code.
CODESYS V2 runtime system SP before 2.4.7.55 has a Stack-based Buffer Overflow.
An exploitable code execution vulnerability exists in the PLC_Task functionality of 3S-Smart Software Solutions GmbH CODESYS Runtime 3.5.14.30. A specially crafted network request can cause remote code execution. An attacker can send a malicious packet to trigger this vulnerability.
An issue was discovered in 3S-Smart CODESYS V3 products. The application may utilize non-TLS based encryption, which results in user credentials being insufficiently protected during transport. All variants of the following CODESYS V3 products in all versions containing the CmpUserMgr component are affected regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (also part of the CODESYS Development System setup), CODESYS V3 Simulation Runtime (part of the CODESYS Development System), CODESYS Control V3 Runtime System Toolkit, CODESYS HMI V3.
A crafted request with invalid offsets may cause an out-of-bounds read or write access in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service condition or local memory overwrite.
CODESYS V2 runtime system SP before 2.4.7.55 has a Heap-based Buffer Overflow.
In CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56 unauthenticated crafted invalid requests may result in several denial-of-service conditions. Running PLC programs may be stopped, memory may be leaked, or further communication clients may be blocked from accessing the PLC.
CODESYS V2 runtime system before 2.4.7.55 has Improper Input Validation.
An issue was discovered in 3S-Smart CODESYS before 3.5.15.0 . Crafted network packets cause the Control Runtime to crash.
An exploitable memory corruption vulnerability exists in the Name Service Client functionality of 3S-Smart Software Solutions CODESYS GatewayService. A specially crafted packet can cause a large memcpy, resulting in an access violation and termination of the process. An attacker can send a packet to a device running the GatewayService.exe to trigger this vulnerability. All variants of the CODESYS V3 products in all versions prior V3.5.16.10 containing the CmpRouter or CmpRouterEmbedded component are affected, regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PLCnext, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (also part of the CODESYS Development System setup), CODESYS Control V3 Runtime System Toolkit, CODESYS V3 Embedded Target Visu Toolkit, CODESYS V3 Remote Target Visu Toolkit, CODESYS V3 Safety SIL2, CODESYS Edge Gateway V3, CODESYS Gateway V3, CODESYS HMI V3, CODESYS OPC Server V3, CODESYS PLCHandler SDK, CODESYS V3 Simulation Runtime (part of the CODESYS Development System).
In CODESYS Gateway V3 before 3.5.17.10, there is a NULL Pointer Dereference. Crafted communication requests may cause a Null pointer dereference in the affected CODESYS products and may result in a denial-of-service condition.
CODESYS Control Runtime system before 3.5.17.0 has improper input validation. Attackers can send crafted communication packets to change the router's addressing scheme and may re-route, add, remove or change low level communication packages.
A crafted request may cause a read access to an uninitialized pointer in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service condition.
3S-Smart CODESYS SP Realtime NT before V2.3.7.28, CODESYS Runtime Toolkit 32 bit full before V2.4.7.54, and CODESYS PLCWinNT before V2.4.7.54 allow a NULL pointer dereference.
CODESYS Control V3, Gateway V3, and HMI V3 before 3.5.15.30 allow uncontrolled memory allocation which can result in a remote denial of service condition.
The hashing procedure used to save passwords is inadequate.
This vulnerability enables valid user names to be identified.
The user password can be changed without having to enter the original password.
The affected products use the CODESYS runtime environment from CODESYS GmbH. Either Version V2 or V3 is active, depending on the configuration. V3 is activated upon delivery. These runtime environments contain the listed vulnerabilities. Some of the vulnerabilities only affect either version V2 or V3 of the CODESYS runtime environment.
General countermeasures
Product-specific countermeasures
Pilz would like to thank CERT@VDE for coordinating publication.