Share: Email | Twitter

ID

VDE-2021-056

Published

2021-11-16 15:11 (CET)

Last update

2021-11-22 12:03 (CET)

Vendor(s)

WAGO

Product(s)

Article Number Affected Firmware
Versions
750-823 <=FW09
750-829 <=FW16
750-831/000-00x <=FW14
750-832/000-00x <=FW09
750-852 <=FW16
750-862 <=FW09
750-880/0xx-xxx <=FW16
750-881
750-882
750-885/0xx-xxx
750-889
750-890/0xx-xxx <=FW09
750-891
750-893
750-8202/xxx-xxx <=03.07.14 (19)
750-8203/xxx-xxx
750-8204/xxx-xxx
750-8206/xxx-xxx
750-8207/xxx-xxx
750-8208/xxx-xxx
750-8210/xxx-xxx
750-8211/xxx-xxx
750-8212/xxx-xxx
750-8213/xxx-xxx
750-8214/xxx-xxx
750-8216/xxx-xxx
750-8217/xxx-xxx

Summary

Multiple vulnerabilities were reported in CODESYS 2.3 Runtime. The CODESYS 2.3 Runtime is an essential component in several WAGO PLCs. All vulnerable PLCs are listed in chapter ‘Affected Products’.
https://www.codesys.com/security/security-reports.html

Vulnerabilities



Weakness
Buffer Over-read (CWE-126)
Summary

Crafted web server requests can be utilised to read partial stack or heap memory or may trigger a denial-of- service condition due to a crash in the CODESYS V2 web ...

Weakness
Use of Out-of-range Pointer Offset (CWE-823)
Summary

A crafted request with invalid offsets may cause an out-of-bounds read or write access in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in ...

Weakness
Heap-based Buffer Overflow (CWE-122)
Summary

Crafted web server requests may cause a heap-based buffer overflow and could therefore trigger a denial-of- service condition due to a crash in the CODESYS V2 web server prior to ...

Weakness
Improper Check for Unusual or Exceptional Conditions (CWE-754)
Summary

In the CODESYS V2 web server prior to V1.1.9.22 crafted web server requests can trigger a parser error. Since the parser result is not checked under all conditions, a pointer ...

Weakness
NULL Pointer Dereference (CWE-476)
Summary

In the CODESYS V2 web server prior to V1.1.9.22 crafted web server requests may cause a Null pointer dereference in the CODESYS web server and may result in a denial-of-service ...

Weakness
Access of Uninitialized Pointer (CWE-824)
Summary

A crafted request may cause a read access to an uninitialized pointer in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service ...

Impact

The reported vulnerabilities allow an attacker who has access to the device and is able to exploit the vulnerabilities, to manipulate and disrupt the CODESYS 2.3 Runtime or WebVisualisation.

Solution

UPDATE A: fixed Firmware versions for 750-890/0xx-xxx, 750-891 and 750-893
We recommend all effected users with CODESYS 2.3 Runtime PLCs to update to the firmware version listed below.

Series Ethernet Controller

Article Number Fixed Firmware
Versions
Available
750-823 >=FW10 January 2022
750-829 >=FW17 After BACnet certification
750-831/000-00x >=FW17 After BACnet certification
750-832/000-00x >=FW10 After BACnet certification
750-852 >=FW17 Q1 2022
750-862 >=FW10 January 2022
750-880/0xx-xxx >=FW17 Q1 2022
750-881 >=FW17 Q1 2022
750-882 >=FW17 Q1 2022
750-885/0xx-xxx >=FW17 Q1 2022
750-889 >=FW17 Q1 2022
750-890/0xx-xxx >=FW10 January 2022
750-891 January 2022
750-893 January 2022

PFC200 Controller

Article Number Affected Firmware
Versions
Approx.
Available
750-8202/xxx-xxx >=FW20 January 2022
750-8203/xxx-xxx
750-8204/xxx-xxx
750-8206/xxx-xxx
750-8207/xxx-xxx
750-8208/xxx-xxx
750-8210/xxx-xxx
750-8211/xxx-xxx
750-8212/xxx-xxx
750-8213/xxx-xxx
750-8214/xxx-xxx
750-8216/xxx-xxx
750-8217/xxx-xxx

Mitigation

  1. Use general security best practices to protect systems from local and network attacks.
  2. Do not allow direct access to the device from untrusted networks.
  3. Update to the latest firmware according to the table in chapter solutions.
  4. Disable the CODESYS 2.3 WebVisualisation and CODESYS 2.3 port 2455.

For further impact information and risk mitigation, please refer to the official CODESYS Advisory Website at https://www.codesys.com/security/security-reports.html

Reported by

These vulnerabilities were reported by

  • CVE-2021-34583, -34584, -34585, -34586 by Tenable Research
  • CVE-2021-34595 by Chen Jie and Gao Jian of NSFOCUS
  • CVE-2021-34596 by Gao Jian of NSFOCUS

Coordination done by CERT@VDE.