|Article No°||Product Name||Affected Version(s)|
|750-8202/xxx-xxx||<= 03.07.14 (19)|
|750-8203/xxx-xxx||<= 03.07.14 (19)|
|750-8204/xxx-xxx||<= 03.07.14 (19)|
|750-8206/xxx-xxx||<= 03.07.14 (19)|
|750-8207/xxx-xxx||<= 03.07.14 (19)|
|750-8208/xxx-xxx||<= 03.07.14 (19)|
|750-8210/xxx-xxx||<= 03.07.14 (19)|
|750-8211/xxx-xxx||<= 03.07.14 (19)|
|750-8212/xxx-xxx||<= 03.07.14 (19)|
|750-8213/xxx-xxx||<= 03.07.14 (19)|
|750-8214/xxx-xxx||<= 03.07.14 (19)|
|750-8216/xxx-xxx||<= 03.07.14 (19)|
|750-8217/xxx-xxx||<= 03.07.14 (19)|
A Denial-of-Service Vulnerability was reported in CODESYS 2.3 Runtime. The CODESYS 2.3 Runtime is an essential component in several WAGO PLC’s. All vulnerable PLCs are listed in chapter ‘Affected Products’.
In CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V126.96.36.199 unauthenticated crafted invalid requests may result in several denial-of-service conditions. Running PLC programs may be stopped, memory may be leaked, or further communication clients may be blocked from accessing the PLC.
The reported vulnerabilities allow an attacker who has access to the device and is able to exploit the vulnerability, to manipulate and disrupt the CODESYS 2.3 Runtime of the device.
We recommend all affected users with CODESYS 2.3 Runtime PLCs to update to the firmware version listed below.
|Article Number||Fixed in
For further impact information and risk mitigation, please refer to the official CODESYS Advisory Website at https://www.codesys.com/security/security-reports.html
This vulnerability was reported by Steffen Robertz and Gerhard Hechenberger from SEC Consult Vulnerability Lab.
Coordination done by CERT@VDE.