Vulnerability in the routing protocol of the PLC runtime

Published

2021-05-19 00:00:00 UTC

Summary

BOSCH-SA-350374: The control systems IndraMotion MTX, MLC and MLD and the ctrlX CORE PLC application contain PLC technology from Codesys GmbH. The manufacturer Codesys GmbH published a security bulletin \[1\] about a weakness in the routing protocol for the communication between the PLC runtime and clients. By exploiting the vulnerability, attackers can send crafted communication packets to change the routers addressing scheme and may re-route, add, remove or change low level communication packages. On the ctrlX CORE PLC Runtime, an attacker might try to obfuscate the origin of the attacker’s address and therefore cover up tracks by exploiting the vulnerability, or, in a worst case scenario, cause a temporary interruption in the communication to the PLC Runtime. No authentication bypass is possible. A restart of the PLC Runtime application does reset the application to a working state. On IndraMotion MLC, MTX and MLD an attacker might act as a Man in the Middle by exploiting the vulnerability and therefore manipulate communication requests between the PLC runtime and clients. In the worst case scenario, this would allow to manipulate the PLC Runtime and/or read data without authorization. The vulnerability currently affects all available software versions.