VDE-2024-027 | CERT@VDE

2024-06-04 08:00 (CEST) VDE-2024-027

CODESYS: Vulnerability in multiple products through exposure of resource to wrong sphere

Share: Email | Twitter

ID

VDE-2024-027

Published

2024-06-04 08:00 (CEST)

Last update

2024-06-04 10:52 (CEST)

Vendor(s)

CODESYS GmbH

Product(s)

Article No°	Product Name	Affected Version(s)
	CODESYS Control Win (SL)	< 3.5.20.10
	CODESYS Development System V3	< 3.5.20.10
	CODESYS Edge Gateway for Windows	< 3.5.20.10
	CODESYS Gateway for Windows	< 3.5.20.10
	CODESYS HMI (SL)	< 3.5.20.10

Summary

All legitimate local Microsoft Windows users can read or modify files that are located in the working directory of the affected CODESYS products, even if they are executed under a different user or in the system context.

CVE ID

CVE-2023-5751

Last Update:

23. Mai 2024 11:56

Severity

7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Weakness

Exposure of Resource to Wrong Sphere (CWE-668)

Summary

A local attacker with low privileges can read and modify any users files and cause a DoS in the working directory of the affected products due to exposure of resource to wrong sphere.

Details

cert.vde.com

Impact

The CODESYS Development System is an IEC 61131-3 programming tool for the industrial controller and automation technology sector. The integrated runtime for simulating CODESYS projects as well as CODESYS Control Win V3, CODESYS HMI and the CODESYS (Edge) Gateway running under the Microsoft Windows operating system have their working directory under %ProgramData%\CODESYS\ by default. All legitimate local Microsoft Windows users can read or modify files in this working directory, even if the affected products are running under a different user or in the system context.

Solution

Mitigation

Only create required user accounts on the Microsoft Windows systems on which the affected software is installed. Users who do not need to use the affected software should not have access to these systems.

Remediation

Update the following products to version 3.5.20.10.

CODESYS Control Win (SL)
CODESYS Edge Gateway for Windows
CODESYS Gateway for Windows
CODESYS HMI (SL)
CODESYS Development System V3

The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS download area.

The working directories of the affected products are moved to "%APPDATA%\CODESYS\", which is usually located in C:\Users\<user>\AppData\CODESYS\ and can only be accessed by the respective user.

If the PLC is started with the "CODESYS Control Win SysTray PLC Control", it runs in the Windows user account "LocalSystem" and therefore the effective working directory is "C:\Windows\system32\config\systemprofile\AppData\Roaming\CODESYS\" or C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\CODESYS\. An administrator account is required to access these folders.

Reported by

CERT@VDE coordinated with CODESYS

This issue was reported by joker63.