Share: Email | Twitter

ID

VDE-2021-054

Published

2022-04-26 12:00 (CEST)

Last update

2022-07-05 16:13 (CEST)

Vendor(s)

Pilz GmbH & Co. KG

Product(s)

Article No┬░ Product Name Affected Version(s)
680052 Motion controller PMCprimo C all versions
680053 Motion controller PMCprimo C all versions
680054 Motion controller PMCprimo C all versions
680055 Motion controller PMCprimo C all versions
680062 Motion controller PMCprimo C all versions
680063 Motion controller PMCprimo C all versions
680064 Motion controller PMCprimo C all versions
680065 Motion controller PMCprimo C all versions
680162 Motion controller PMCprimo C all versions
680163 Motion controller PMCprimo C all versions
680164 Motion controller PMCprimo C all versions
680165 Motion controller PMCprimo C all versions
680172 Motion controller PMCprimo C all versions
680173 Motion controller PMCprimo C all versions
680174 Motion controller PMCprimo C all versions
680175 Motion controller PMCprimo C all versions
680182 Motion controller PMCprimo C2.0 (plug-in card) <= 03.07.00
680183 Motion controller PMCprimo C2.0 (plug-in card) <= 03.07.00
680184 Motion controller PMCprimo C2.0 (plug-in card) <= 03.07.00
680185 Motion controller PMCprimo C2.0 (plug-in card) <= 03.07.00
680192 Motion controller PMCprimo C2.1 (housing version) <= 03.07.00
680192(all versions) Motion controller PMCprimo C2.1 (housing version) <= 03.07.00
680193 Motion controller PMCprimo C2.1 (housing version) <= 03.07.00
680194 Motion controller PMCprimo C2.1 (housing version) <= 03.07.00
680195 Motion controller PMCprimo C2.1 (housing version) <= 03.07.00
680082 Motion controller PMCprimo MC <= 03.07.00
680083 Motion controller PMCprimo MC <= 03.07.00
680084 Motion controller PMCprimo MC <= 03.07.00
680085 Motion controller PMCprimo MC <= 03.07.00
265608 Operator terminal/controller PMI 6 primo all versions
265613 Operator terminal/controller PMI 6 primo all versions
264639 Operator terminal/controller PMI 6 primo all versions

Summary

Several Pilz products use Versions V2 and V3 of the CODESYS runtime system from CODESYS GmbH, which enables the execution of IEC 61131-3 PLC programs. These runtime environments contain several vulnerabilities, which an attacker can exploit via the network. Successful exploitation of the vulnerabilities results in reduced availability and, in a worst case, to the insertion of program code.

Vulnerabilities



Weakness
Out-of-bounds Write (CWE-787)
Summary

CODESYS V2 runtime system SP before 2.4.7.55 has a Stack-based Buffer Overflow.

Weakness
Insufficient Verification of Data Authenticity (CWE-345)
Summary

An exploitable code execution vulnerability exists in the PLC_Task functionality of 3S-Smart Software Solutions GmbH CODESYS Runtime 3.5.14.30. A specially crafted network request can cause remote code execution. An attacker ...

Weakness
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
Summary

An issue was discovered in 3S-Smart CODESYS V3 products. The application may utilize non-TLS based encryption, which results in user credentials being insufficiently protected during transport. All variants of the ...

Weakness
Use of Out-of-range Pointer Offset (CWE-823)
Summary

A crafted request with invalid offsets may cause an out-of-bounds read or write access in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in ...

Weakness
Out-of-bounds Write (CWE-787)
Summary

CODESYS V2 runtime system SP before 2.4.7.55 has a Heap-based Buffer Overflow.

Weakness
Improper Handling of Exceptional Conditions (CWE-755)
Summary

In CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56 unauthenticated crafted invalid requests may result in several denial-of-service conditions. Running PLC programs may be stopped, ...

Weakness
Out-of-bounds Read (CWE-125)
Summary

CODESYS V2 runtime system before 2.4.7.55 has Improper Input Validation.

Weakness
NULL Pointer Dereference (CWE-476)
Summary

CODESYS Gateway 3 before 3.5.17.0 has a NULL pointer dereference that may result in a denial of service (DoS).

Weakness
Improper Handling of Exceptional Conditions (CWE-755)
Summary

An issue was discovered in 3S-Smart CODESYS before 3.5.15.0 . Crafted network packets cause the Control Runtime to crash.

Weakness
Out-of-bounds Write (CWE-787)
Summary

An exploitable memory corruption vulnerability exists in the Name Service Client functionality of 3S-Smart Software Solutions CODESYS GatewayService. A specially crafted packet can cause a large memcpy, resulting in an ...

Weakness
NULL Pointer Dereference (CWE-476)
Summary

In CODESYS Gateway V3 before 3.5.17.10, there is a NULL Pointer Dereference. Crafted communication requests may cause a Null pointer dereference in the affected CODESYS products and may result in ...

Weakness
Improper Input Validation (CWE-20)
Summary

CODESYS Control Runtime system before 3.5.17.0 has improper input validation. Attackers can send crafted communication packets to change the router's addressing scheme and may re-route, add, remove or change low ...

Weakness
Access of Uninitialized Pointer (CWE-824)
Summary

A crafted request may cause a read access to an uninitialized pointer in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service ...

Weakness
NULL Pointer Dereference (CWE-476)
Summary

3S-Smart CODESYS SP Realtime NT before V2.3.7.28, CODESYS Runtime Toolkit 32 bit full before V2.4.7.54, and CODESYS PLCWinNT before V2.4.7.54 allow a NULL pointer dereference.

Weakness
Allocation of Resources Without Limits or Throttling (CWE-770)
Summary

CODESYS Control V3, Gateway V3, and HMI V3 before 3.5.15.30 allow uncontrolled memory allocation which can result in a remote denial of service condition.

Severity
-
Weakness
-
Summary

The hashing procedure used to save passwords is inadequate.

Source
codesys.com 
Severity
-
Weakness
-
Summary

This vulnerability enables valid user names to be identified.

Source
codesys.com 
Severity
-
Weakness
-
Summary

The user password can be changed without having to enter the original password.

Source
codesys.com 

Impact

The affected products use the CODESYS runtime environment from CODESYS GmbH. Either Version V2 or V3 is active, depending on the configuration. V3 is activated upon delivery. These runtime environments contain the listed vulnerabilities. Some of the vulnerabilities only affect either version V2 or V3 of the CODESYS runtime environment.

Solution

General countermeasures

  • Use a firewall or comparable measures at network level to protect the devices from unauthorised network communication.
  • Employ user management to restrict online access to authorised persons.

Product-specific countermeasures

  • PMI 6 primo, PMCprimo C: No product-specific countermeasures available, please follow the general countermeasures.
  • PMCprimo C2, PMCprimo MC: Installation of Firmware Version 03.08.00 This update does not resolve the vulnerabilities (CVE-2021-34595, CVE-2021-34596, CVE-2021-34593, CVE-2021-30186, CVE-2021-30188, CVE-2021-30195, CVE-2019-19789) in the CODESYS V2 runtime system. The V2 runtime system is still included for compatibility reasons but is no longer supported by Pilz. Please migrate your application to the V3 runtime system or follow the general countermeasures.

Reported by

Pilz would like to thank CERT@VDE for coordinating publication.