Share: Email | Twitter

ID

VDE-2022-022

Published

2022-07-18 12:00 (CEST)

Last update

2022-07-18 11:19 (CEST)

Vendor(s)

Festo SE & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
574415 Controller CECC-D = R06 (11.10.2016) = 2.3.8.1
574415 Controller CECC-D = R05 (17.06.2016) = 2.3.8.0
574418 Controller CECC-LK = R06 (11.10.2016) = 2.3.8.1
574418 Controller CECC-LK = R05 (17.06.2016) = 2.3.8.0
574416 Controller CECC-S = R06 (11.10.2016) = 2.3.8.1
574416 Controller CECC-S = R05 (17.06.2016) = 2.3.8.0

Summary

The Festo controller CECC product family is affected by multiple vulnerabilities in the CODESYS V3 runtime.

Vulnerabilities



CVE-2019-13548
9.8
Last Update
25. Mai 2022 16:20
Severity
9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Weakness
Stack-based Buffer Overflow (CWE-121)
Summary

CODESYS V3 web server, all versions prior to 3.5.14.10, allows an attacker to send specially crafted http or https requests which could cause a stack overflow and create a denial-of-service condition or allow remote code execution.

Details
nvd.nist.gov 
CVE-2019-18858
9.8
Last Update
25. Mai 2022 16:21
Severity
9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Weakness
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)
Summary

CODESYS 3 web server before 3.5.15.20, as distributed with CODESYS Control runtime systems, has a Buffer Overflow.

Details
nvd.nist.gov 
CVE-2021-33485
9.8
Last Update
25. Mai 2022 16:24
Severity
9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Weakness
Out-of-bounds Write (CWE-787)
Summary

CODESYS Control Runtime system before 3.5.17.10 has a Heap-based Buffer Overflow.

Details
nvd.nist.gov 
CVE-2019-9010
9.8
Last Update
8. September 2021 08:50
Severity
9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Weakness
Insufficient Information (NVD-CWE-noinfo)
Summary

An issue was discovered in 3S-Smart CODESYS V3 products. The CODESYS Gateway does not correctly verify the ownership of a communication channel. All variants of the following CODESYS V3 products in all versions prior to v3.5.14.20 that contain the CmpGateway component are affected, regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control V3 Runtime System Toolkit, CODESYS Gateway V3, CODESYS V3 Development System.

Details
nvd.nist.gov 
CVE-2018-10612
9.8
Last Update
8. September 2021 09:06
Severity
9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Weakness
Improper Access Control (CWE-284)
Summary

In 3S-Smart Software Solutions GmbH CODESYS Control V3 products prior to version 3.5.14.0, user access management and communication encryption is not enabled by default, which could allow an attacker access to the device and sensitive information, including user credentials.

Details
nvd.nist.gov 
CVE-2020-10245
9.8
Last Update
25. Mai 2022 16:22
Severity
9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Weakness
Out-of-bounds Write (CWE-787)
Summary

CODESYS V3 web server before 3.5.15.40, as used in CODESYS Control runtime systems, has a buffer overflow.

Details
nvd.nist.gov 
CVE-2019-9008
8.8
Last Update
25. Mai 2022 16:21
Severity
8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Weakness
Incorrect Permission Assignment for Critical Resource (CWE-732)
Summary

An issue was discovered in 3S-Smart CODESYS V3 through 3.5.12.30. A user with low privileges can take full control over the runtime.

Details
nvd.nist.gov 
CVE-2019-9013
8.8
Last Update
15. Februar 2022 09:47
Severity
8.8 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Weakness
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
Summary

An issue was discovered in 3S-Smart CODESYS V3 products. The application may utilize non-TLS based encryption, which results in user credentials being insufficiently protected during transport. All variants of the following CODESYS V3 products in all versions containing the CmpUserMgr component are affected regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (also part of the CODESYS Development System setup), CODESYS V3 Simulation Runtime (part of the CODESYS Development System), CODESYS Control V3 Runtime System Toolkit, CODESYS HMI V3.

Details
nvd.nist.gov 
CVE-2022-22515
8.1
Last Update
25. Mai 2022 16:26
Severity
8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
Weakness
Exposure of Resource to Wrong Sphere (CWE-668)
Summary

A remote, authenticated attacker could utilize the control program of the CODESYS Control runtime system to use the vulnerability in order to read and modify the configuration file(s) of the affected products.

Details
nvd.nist.gov 
CVE-2021-36764
7.5
Last Update
17. November 2022 13:09
Severity
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness
NULL Pointer Dereference (CWE-476)
Summary

In CODESYS Gateway V3 before 3.5.17.10, there is a NULL Pointer Dereference. Crafted communication requests may cause a Null pointer dereference in the affected CODESYS products and may result in a denial-of-service condition.

Details
nvd.nist.gov 
CVE-2020-15806
7.5
Last Update
16. Mai 2022 12:19
Severity
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness
Missing Release of Memory after Effective Lifetime (CWE-401)
Summary

CODESYS Control runtime system before 3.5.16.10 allows Uncontrolled Memory Allocation.

Details
nvd.nist.gov 
CVE-2018-20025
7.5
Last Update
25. Mai 2022 16:03
Severity
7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Weakness
Use of Insufficiently Random Values (CWE-330)
Summary

Use of Insufficiently Random Values exists in CODESYS V3 products versions prior V3.5.14.0.

Details
nvd.nist.gov 
CVE-2018-20026
7.5
Last Update
25. Mai 2022 16:18
Severity
7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Weakness
Insufficient Information (NVD-CWE-noinfo)
Summary

Improper Communication Address Filtering exists in CODESYS V3 products versions prior V3.5.14.0.

Details
nvd.nist.gov 
CVE-2019-13532
7.5
Last Update
25. Mai 2022 16:19
Severity
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Weakness
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Summary

CODESYS V3 web server, all versions prior to 3.5.14.10, allows an attacker to send specially crafted http or https requests which may allow access to files outside the restricted working directory of the controller.

Details
nvd.nist.gov 
CVE-2021-36763
7.5
Last Update
25. Mai 2022 16:24
Severity
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Weakness
Files or Directories Accessible to External Parties (CWE-552)
Summary

In CODESYS V3 web server before 3.5.17.10, files or directories are accessible to External Parties.

Details
nvd.nist.gov 
CVE-2022-22517
7.5
Last Update
25. Mai 2022 16:27
Severity
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness
Small Space of Random Values (CWE-334)
Summary

An unauthenticated, remote attacker can disrupt existing communication channels between CODESYS products by guessing a valid channel ID and injecting packets. This results in the communication channel to be closed.

Details
nvd.nist.gov 
CVE-2022-22519
7.5
Last Update
25. Mai 2022 16:30
Severity
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness
Buffer Over-read (CWE-126)
Summary

The CODESYS web server is used by the CODESYS WebVisu to display CODESYS visualization screens in a web browser. Specific crafted HTTP or HTTPS requests may cause an internal buffer over-read, which could crash the web server task of the CODESYS Control runtime system.

Details
nvd.nist.gov 
CVE-2021-29241
7.5
Last Update
17. November 2022 13:09
Severity
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness
NULL Pointer Dereference (CWE-476)
Summary
CODESYS Gateway 3 before 3.5.16.70 has a NULL pointer dereference that may result in a denial of service (DoS).
Details
nvd.nist.gov 
CVE-2019-5105
7.5
Last Update
8. September 2021 08:50
Severity
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness
Out-of-bounds Write (CWE-787)
Summary

An exploitable memory corruption vulnerability exists in the Name Service Client functionality of 3S-Smart Software Solutions CODESYS GatewayService. A specially crafted packet can cause a large memcpy, resulting in an access violation and termination of the process. An attacker can send a packet to a device running the GatewayService.exe to trigger this vulnerability. All variants of the CODESYS V3 products in all versions prior V3.5.16.10 containing the CmpRouter or CmpRouterEmbedded component are affected, regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PLCnext, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (also part of the CODESYS Development System setup), CODESYS Control V3 Runtime System Toolkit, CODESYS V3 Embedded Target Visu Toolkit, CODESYS V3 Remote Target Visu Toolkit, CODESYS V3 Safety SIL2, CODESYS Edge Gateway V3, CODESYS Gateway V3, CODESYS HMI V3, CODESYS OPC Server V3, CODESYS PLCHandler SDK, CODESYS V3 Simulation Runtime (part of the CODESYS Development System).

Details
nvd.nist.gov 
CVE-2019-9012
7.5
Last Update
8. September 2021 08:50
Severity
7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness
Allocation of Resources Without Limits or Throttling (CWE-770)
Summary

An issue was discovered in 3S-Smart CODESYS V3 products. A crafted communication request may cause uncontrolled memory allocations in the affected CODESYS products and may result in a denial-of-service condition. All variants of the following CODESYS V3 products in all versions prior to v3.5.14.20 that contain the CmpGateway component are affected, regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control V3 Runtime System Toolkit, CODESYS Gateway V3, CODESYS V3 Development System.

Details
nvd.nist.gov 
CVE-2019-9009
7.5
Last Update
8. September 2021 08:50
Severity
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness
Improper Handling of Exceptional Conditions (CWE-755)
Summary

An issue was discovered in 3S-Smart CODESYS before 3.5.15.0 . Crafted network packets cause the Control Runtime to crash.

Details
nvd.nist.gov 
CVE-2021-29242
7.3
Last Update
8. September 2021 08:49
Severity
7.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Weakness
Improper Input Validation (CWE-20)
Summary

CODESYS Control Runtime system before 3.5.17.0 has improper input validation. Attackers can send crafted communication packets to change the router's addressing scheme and may re-route, add, remove or change low level communication packages.

Details
nvd.nist.gov 
CVE-2022-22514
7.1
Last Update
25. Mai 2022 16:26
Severity
7.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H)
Weakness
Untrusted Pointer Dereference (CWE-822)
Summary

An authenticated, remote attacker can gain access to a dereferenced pointer contained in a request. The accesses can subsequently lead to local overwriting of memory in the CmpTraceMgr, whereby the attacker can neither gain the values read internally nor control the values to be written. If invalid memory is accessed, this results in a crash.

Details
nvd.nist.gov 
CVE-2010-5250
6.9
Last Update
25. Mai 2022 16:01
Severity
6.9 (CVSS:2.0/AV:L/AC:M/Au:N/C:C/I:C/A:C)
Weakness
Other (NVD-CWE-Other)
Summary

Untrusted search path vulnerability in the pthread_win32_process_attach_np function in pthreadGC2.dll in Pthreads-win32 2.8.0 allows local users to gain privileges via a Trojan horse quserex.dll file in the current working directory. NOTE: some of these details are obtained from third party information.

Details
nvd.nist.gov 
CVE-2022-22513
6.5
Last Update
25. Mai 2022 16:25
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Weakness
NULL Pointer Dereference (CWE-476)
Summary

An authenticated remote attacker can cause a null pointer dereference in the CmpSettings component of the affected CODESYS products which leads to a crash.

Details
nvd.nist.gov 
CVE-2018-0739
6.5
Last Update
25. Mai 2022 16:02
Severity
6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Weakness
Uncontrolled Recursion (CWE-674)
Summary

Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).

Details
nvd.nist.gov 
CVE-2019-13542
6.5
Last Update
25. Mai 2022 16:20
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Weakness
NULL Pointer Dereference (CWE-476)
Summary

3S-Smart Software Solutions GmbH CODESYS V3 OPC UA Server, all versions 3.5.11.0 to 3.5.15.0, allows an attacker to send crafted requests from a trusted OPC UA client that cause a NULL pointer dereference, which may trigger a denial-of-service condition.

Details
nvd.nist.gov 
CVE-2020-7052
6.5
Last Update
8. September 2021 08:50
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Weakness
Allocation of Resources Without Limits or Throttling (CWE-770)
Summary

CODESYS Control V3, Gateway V3, and HMI V3 before 3.5.15.30 allow uncontrolled memory allocation which can result in a remote denial of service condition.

Details
nvd.nist.gov 
CVE-2020-12068
6.5
Last Update
25. Mai 2022 16:23
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Weakness
Insufficient Information (NVD-CWE-noinfo)
Summary

An issue was discovered in CODESYS Development System before 3.5.16.0. CODESYS WebVisu and CODESYS Remote TargetVisu are susceptible to privilege escalation.

Details
nvd.nist.gov 
CVE-2017-3735
5.3
Last Update
31. Januar 2020 15:29
Severity
5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Weakness
Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
Summary
While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.
Details
nvd.nist.gov 
CVE-2019-9011
n/a
Last Update
15. Februar 2022 09:48
Severity
-
Weakness
-
Summary

This vulnerability enables valid user names to be identified.

Details
nvd.nist.gov 
CVE-2020-12067
n/a
Last Update
15. Februar 2022 09:46
Severity
-
Weakness
-
Summary

The user password can be changed without having to enter the original password.

Details
nvd.nist.gov 
CVE-2020-12069
n/a
Last Update
18. Juli 2022 11:13
Severity
-
Weakness
-
Summary

The hashing procedure used to save passwords is inadequate.

Details
nvd.nist.gov 

Impact

By using the listed vulnerabilities an remote attacker with low privileges may gain full access to the devices or make them unavailable.

Solution

For CVE-2010-5250, CVE-2017-3735, CVE-2018-0739, CVE-2018-10612, CVE-2018-20025, CVE-2018-20026, CVE-2019-13532, CVE-2019-13542, CVE-2019-13548, CVE-2019-18858, CVE-2019-9008, CVE-2019-9009, CVE-2019-9010, CVE-2019-9012, CVE-2020-7052: Update to version 2.4.2.0. This also fixes CODESYS Advisory 2017-01, CODESYS Advisory 2017-03, CODESYS Advisory 2017-06, CODESYS Advisory 2017-07, CODESYS Advisory 2017-09, CODESYS Advisory 2018-04, CODESYS Advisory 2018-05, CODESYS Advisory 2018-07, CODESYS Advisory 2018-11.

For CVE-2019-5105, CVE-2019-9011, CVE-2019-9013, CVE-2020-10245, CVE-2020-12067, CVE-2020-12068, CVE-2020-12069, CVE-2020-15806, CVE-2021-29241, CVE-2021-29242, CVE-2021-33485, CVE-2021-36763, CVE-2021-36764, CVE-2022-22513, CVE-2022-22514, CVE-2022-22515, CVE-2022-22517, CVE-2022-22519: No fix planned. This issue will be handled with next hardware generation release.

General recommendations

Festo strongly recommends to minimize and protect network access to connected devices with state of the art techniques and processes. Festo also highly recommends to apply available firmware updates containig security related changes as soon as possible. For a secure operation follow the recommendations in the product manuals.
Until Festo provides a firmware-update with CODESYS runtime patching the vulnerabilities general recommendation is to:

  1. Do not use the Codesys Web server of the Web-visualization.
  2. The access to a PLC with an active webserver should be restricted on network level to participants for whom it is strictly necessary. Also, the PLC should never be exposed to the internet. Assist IT staff to block access (from outside of company network or from outside of virtual network assigned to machines) to PLC through existing network equipment (routers, firewalls etc) by blocking specific ports and protocols (UDP, TCP).
  3. PLC with WEB server active shall only include visualization screens in the application that are intended for being accessed by operators of the CODESYS WebVisu and the CODESYS Remote TargetVisu.
  4. Activation of the Codesys device user management and visualization user management if Web visualization is used.
    • With the activation of the user management on the device any online service requires an appropriate authentication. It is highly recommended to setup at least one administrator user. Moreover, a set of users belonging to the appropriate groups allow maintaining leveled access rights.
    • Use the protection of the user management in the CODESYS visualization not only for the navigation elements but also for all elements that should be restricted to certain operators only.

As part of a security strategy, Festo supports the CODESYS GmbH recommended following general defense measures to reduce the risk of exploits:

  • Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
  • Use firewalls to protect and separate the control system network from other networks - Use VPN (Virtual Private Networks) tunnels if remote access is required
  • Activate and apply user management and password features
  • Use encrypted communication links
  • Limit the access to both development and control system by physical means, operating system features, etc.
  • Protect both development and control system by using up to date virus detecting solutions

For more information and general recommendations for protecting machines and plants, see also the CODESYS Security Whitepaper: customers.codesys.com/fileadmin/data/customers/ security/CODESYS-Security-Whitepaper.pdf

Reported by

Festo SE & Co. KG thanks the following parties for their efforts:

  • CERT@VDE for coordination and support with this publication