| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| CODESYS Control for BeagleBone SL | < 4.12.0.0 | |
| CODESYS Control for emPC-A/iMX6 SL | < 4.12.0.0 | |
| CODESYS Control for IOT2000 SL | < 4.12.0.0 | |
| CODESYS Control for Linux ARM SL | < 4.12.0.0 | |
| CODESYS Control for Linux SL | < 4.12.0.0 | |
| CODESYS Control for PFC100 SL | < 4.12.0.0 | |
| CODESYS Control for PFC200 SL | < 4.12.0.0 | |
| CODESYS Control for PLCnext SL | < 4.12.0.0 | |
| CODESYS Control for Raspberry Pi SL | < 4.12.0.0 | |
| CODESYS Control for WAGO Touch Panels 600 SL | < 4.12.0.0 | |
| CODESYS Control RTE (for Beckhoff CX) SL | < 3.5.20.10 | |
| CODESYS Control RTE (SL) | < 3.5.20.10 | |
| CODESYS Control Win (SL) | < 3.5.20.10 | |
| CODESYS HMI (SL) | < 3.5.20.10 | |
| CODESYS Runtime Toolkit | < 3.5.20.10 |
The CODESYS OPC UA stack of the CODESYS Control runtime system may incorrectly calculate the required buffer size for received requests/responses. This can lead to a crash of the CODESYS runtime system during the subsequent initialization of the receive buffer with zero.
An unauthenticated remote attacker can use a malicious OPC UA client to send a crafted request to affected CODESYS products which can cause a DoS due to incorrect calculation of buffer size.
The CODESYS OPC UA stack, implemented by the CmpOPCUAStack component, is an optional part of the CODESYS runtime system. Both the CODESYS OPC UA Server and the CODESYS OPC UA Client of the CODESYS Control runtime system use the CODESYS OPC UA Stack as a common implementation. The OPC UA protocol enables data exchange between the CODESYS runtime system and OPC UA clients such as SCADA or HMIs, or OPC UA servers such as PLCs or other devices.
If a CODESYS runtime system containing the CmpOPCUAStack component receives a specially crafted request/response, the required buffer size in the CODESYS OPC UA server/client may be incorrectly calculated. This can lead to a crash of the CODESYS runtime system during the subsequent initialization of the receive buffer with zero.
An attacker can exploit this vulnerability by using a malicious OPC UA client to send a crafted request to CODESYS products with an affected CODESYS OPC UA server. Conversely, CODESYS products with an affected CODESYS OPC UA client can be crashed if they have connected to a malicious OPC UA server. CODESYS Control runtime systems usually contain both the OPC UA client and the server. The CODESYS HMI only includes the OPC UA client.
Mitigation
Starting from version 3.5.15.0 of the affected products, the incorrect calculation of the buffer size can be avoided if the maximum supported array length of the OPC UA stack of the CODESYS Control runtime system is limited to a value of 10129639 or less.
This can be achieved by adding the following setting in the CODESYS runtime configuration file (e.g. CODESYSControl.cfg):
[CmpOPCUAStack]
Stack.MaxArrayLenth=10129639
Remediation
Update the following products to version 3.5.20.10.
Update the following products to version 4.12.0.0.
The release of version 4.12.0.0 is expected for end of June 2024.
The products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS download area.
CERT@VDE coordinated with CODESYS
This issue was reported by ABB Schweiz AG.