Share: Email | Twitter

ID

VDE-2021-056

Published

2021-11-16 15:11 (CET)

Last update

2021-11-24 09:48 (CET)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
750-8202/xxx-xxx <= 03.07.14 (19)
750-8203/xxx-xxx <= 03.07.14 (19)
750-8204/xxx-xxx <= 03.07.14 (19)
750-8206/xxx-xxx <= 03.07.14 (19)
750-8207/xxx-xxx <= 03.07.14 (19)
750-8208/xxx-xxx <= 03.07.14 (19)
750-8210/xxx-xxx <= 03.07.14 (19)
750-8211/xxx-xxx <= 03.07.14 (19)
750-8212/xxx-xxx <= 03.07.14 (19)
750-8213/xxx-xxx <= 03.07.14 (19)
750-8214/xxx-xxx <= 03.07.14 (19)
750-8216/xxx-xxx <= 03.07.14 (19)
750-8217/xxx-xxx <= 03.07.14 (19)
750-823 <= FW09
750-829 <= FW16
750-831/000-00x <= FW14
750-832/000-00x <= FW09
750-852 <= FW16
750-862 <= FW09
750-880/0xx-xxx <= FW16
750-881 <= FW16
750-882 <= FW16
750-885/0xx-xxx <= FW16
750-889 <= FW16
750-890/0xx-xxx <= FW09
750-891 <= FW09
750-893 <= FW09

Summary

Multiple vulnerabilities were reported in CODESYS 2.3 Runtime. The CODESYS 2.3 Runtime is an essential component in several WAGO PLCs. All vulnerable PLCs are listed in chapter ‘Affected Products’.
https://www.codesys.com/security/security-reports.html

Vulnerabilities



Last Update
Nov. 15, 2021, 5:02 p.m.
Weakness
Buffer Over-read (CWE-126)
Summary

Crafted web server requests can be utilised to read partial stack or heap memory or may trigger a denial-of- service condition due to a crash in the CODESYS V2 web server prior to V1.1.9.22.

Last Update
Feb. 15, 2022, 7:33 a.m.
Weakness
Use of Out-of-range Pointer Offset (CWE-823)
Summary

A crafted request with invalid offsets may cause an out-of-bounds read or write access in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service condition or local memory overwrite.

Last Update
Nov. 15, 2021, 5:02 p.m.
Weakness
Heap-based Buffer Overflow (CWE-122)
Summary

Crafted web server requests may cause a heap-based buffer overflow and could therefore trigger a denial-of- service condition due to a crash in the CODESYS V2 web server prior to V1.1.9.22.

Last Update
Nov. 17, 2022, 1:09 p.m.
Weakness
Unchecked Return Value (CWE-252)
Summary

In the CODESYS V2 web server prior to V1.1.9.22 crafted web server requests can trigger a parser error. Since the parser result is not checked under all conditions, a pointer dereference with an invalid address can occur. This leads to a denial of service situation.

Last Update
Nov. 15, 2021, 5:02 p.m.
Weakness
NULL Pointer Dereference (CWE-476)
Summary

In the CODESYS V2 web server prior to V1.1.9.22 crafted web server requests may cause a Null pointer dereference in the CODESYS web server and may result in a denial-of-service condition.

Last Update
Feb. 15, 2022, 7:33 a.m.
Weakness
Access of Uninitialized Pointer (CWE-824)
Summary

A crafted request may cause a read access to an uninitialized pointer in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service condition.

Impact

The reported vulnerabilities allow an attacker who has access to the device and is able to exploit the vulnerabilities, to manipulate and disrupt the CODESYS 2.3 Runtime or WebVisualisation.

Solution

UPDATE A: fixed Firmware versions for 750-890/0xx-xxx, 750-891 and 750-893
We recommend all effected users with CODESYS 2.3 Runtime PLCs to update to the firmware version listed below.

Series Ethernet Controller

Article Number Fixed Firmware
Versions
Available
750-823 >=FW10 January 2022
750-829 >=FW17 After BACnet certification
750-831/000-00x >=FW17 After BACnet certification
750-832/000-00x >=FW10 After BACnet certification
750-852 >=FW17 Q1 2022
750-862 >=FW10 January 2022
750-880/0xx-xxx >=FW17 Q1 2022
750-881 >=FW17 Q1 2022
750-882 >=FW17 Q1 2022
750-885/0xx-xxx >=FW17 Q1 2022
750-889 >=FW17 Q1 2022
750-890/0xx-xxx >=FW10 January 2022
750-891 January 2022
750-893 January 2022

PFC200 Controller

Article Number Affected Firmware
Versions
Approx.
Available
750-8202/xxx-xxx >=FW20 January 2022
750-8203/xxx-xxx
750-8204/xxx-xxx
750-8206/xxx-xxx
750-8207/xxx-xxx
750-8208/xxx-xxx
750-8210/xxx-xxx
750-8211/xxx-xxx
750-8212/xxx-xxx
750-8213/xxx-xxx
750-8214/xxx-xxx
750-8216/xxx-xxx
750-8217/xxx-xxx

Mitigation

  1. Use general security best practices to protect systems from local and network attacks.
  2. Do not allow direct access to the device from untrusted networks.
  3. Update to the latest firmware according to the table in chapter solutions.
  4. Disable the CODESYS 2.3 WebVisualisation and CODESYS 2.3 port 2455.

For further impact information and risk mitigation, please refer to the official CODESYS Advisory Website at https://www.codesys.com/security/security-reports.html

Reported by

These vulnerabilities were reported by

  • CVE-2021-34583, -34584, -34585, -34586 by Tenable Research
  • CVE-2021-34595 by Chen Jie and Gao Jian of NSFOCUS
  • CVE-2021-34596 by Gao Jian of NSFOCUS

Coordination done by CERT@VDE.