Share: Email | Twitter

ID

VDE-2022-037

Published

2022-11-29 12:41 (CET)

Last update

2022-11-29 12:45 (CET)

Vendor(s)

Festo SE & Co. KG

Product(s)

Article No┬░ Product Name Affected Version(s)
Compact Vision System SBO*-Q-* = All Versions
Control block CPX-CEC-C1 Codesys V2 = All Versions
Control block CPX-CEC-C1-V3 Codesys V3 = All Versions
Control block CPX-CEC Codesys V2 = All Versions
Control block CPX-CEC-M1 Codesys V2 = All Versions
Control block CPX-CEC-M1-V3 Codesys V3 = All Versions
Control block CPX-CEC-S1-V3 Codesys V3 = All Versions
555668 Control block CPX-CMXX = All Versions
555667 Control block CPX-CMXX = All Versions
Controller CECC-D = All Versions
Controller CECC-D-BA = All Versions
Controller CECC-D-CS = All Versions
Controller CECC-LK = All Versions
Controller CECC-S = All Versions
Controller CECC-X-M1 = All Versions
Controller CECC-X-M1-MV = All Versions
Controller CECC-X-M1-S1 = All Versions
553852 Controller CECX-X-C1 = All Versions
553853 Controller CECX-X-M1 = All Versions
Controller CPX-E-CEC-C1 = All Versions
Controller CPX-E-CEC-C1-EP = All Versions
Controller CPX-E-CEC-C1-PN = All Versions
Controller CPX-E-CEC-M1 = All Versions
Controller CPX-E-CEC-M1-EP = All Versions
Controller CPX-E-CEC-M1-PN = All Versions
559869 Controller FED-CEC = All Versions
Operator unit CDPX-X-A-S-10 = All Versions
Operator unit CDPX-X-A-W-13 = All Versions
Operator unit CDPX-X-A-W-4 = All Versions
Operator unit CDPX-X-A-W-7 = All Versions
Operator unit CDPX-X-E1-W-10 = All Versions
Operator unit CDPX-X-E1-W-15 = All Versions
Operator unit CDPX-X-E1-W-7 = All Versions

Summary

The products are shipped with an unsafe configuration of the integrated CODESYS Runtime
environment. In this case no default password is set to the CODESYS PLC and therefore access
without authentication is possible.

With a successful established connection to the CODESYS Runtime the PLC-Browser commands are
available. Thus granting the possibilities to e.g. read and modify the configuration file(s), start/stop
the application and reboot the device.

Vulnerabilities



Last Update
Sept. 14, 2022, 4:48 p.m.
Weakness
Insecure Default Initialization of Resource (CWE-1188)
Summary

In CODESYS V2 PLCWinNT and Runtime Toolkit 32 in versions prior to V2.4.7.57 password protection is not enabled by default and there is no information or prompt to enable password protection at login in case no password is set at the controller.

Last Update
May 25, 2022, 4:26 p.m.
Weakness
Exposure of Resource to Wrong Sphere (CWE-668)
Summary

A remote, authenticated attacker could utilize the control program of the CODESYS Control runtime system to use the vulnerability in order to read and modify the configuration file(s) of the affected products.

Solution

Mitigation

Festo has identified the following compensatory measures to reduce the risk:

  • For CVE-2022-22515: Using the online user management prevents an attacker from
    downloading and execute malicious code, but also suppresses start, stop, debug, or other
    actions on a known working application that could potentially disrupt a machine or system.
  • For CVE-2022-31806: Enable password protection at login in case no password is set at the controller. Please note that the password configuration file is not covered via default FFT backup & Restore mechanism, you must select the related file manually.

General recommendations

As part of a security strategy, Festo recommends the following general defense measures to reduce
the risk of exploits:

- Use controllers and devices only in a protected environment to minimize network exposure and
ensure that they are not accessible from outside
- Use firewalls to protect and separate the control system network from other networks
- Use VPN (Virtual Private Networks) tunnels if remote access is required
- Activate and apply user management and password features
- Use encrypted communication links
- Limit the access to both development and control system by physical means, operating system
features, etc.
- Protect both development and control system by using up to date virus detecting solutions
Festo strongly recommends to minimize and protect network access to connected devices with state
of the art techniques and processes.

For a secure operation follow the recommendations in the product manuals.

Reported by

Daniel dos Santos, Rob Hulsebos from Forescout for reporting to Festo.
CERT@VDE for coordination and support with this publication.