Share: Email | Twitter

ID

VDE-2023-003

Published

2023-03-14 10:14 (CET)

Last update

2023-03-14 10:14 (CET)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No┬░ Product Name Affected Version(s)
1264327 ENERGY AXC PU < V04.15.00.00

Summary

Multiple vulnerabilities have been discovered in CODESYS Control V3 runtime system.
For details regarding the single vulnerabilities please refer to the security advisories issued by CODESYS:

  • CODESYS Security Advisory 2022-02
  • CODESYS Security Advisory 2022-04
  • CODESYS Security Advisory 2022-06
  • CODESYS Security Advisory 2022-09

Vulnerabilities



Last Update
May 25, 2022, 4:26 p.m.
Weakness
Exposure of Resource to Wrong Sphere (CWE-668)
Summary

A remote, authenticated attacker could utilize the control program of the CODESYS Control runtime system to use the vulnerability in order to read and modify the configuration file(s) of the affected products.

Last Update
March 1, 2023, 6:43 a.m.
Weakness
Uncontrolled Resource Consumption (CWE-400)
Summary

In CmpChannelServer of CODESYS V3 in multiple versions an uncontrolled ressource consumption allows an unauthorized attacker to block new communication channel connections. Existing connections are not affected.

Last Update
May 25, 2022, 4:27 p.m.
Weakness
Small Space of Random Values (CWE-334)
Summary

An unauthenticated, remote attacker can disrupt existing communication channels between CODESYS products by guessing a valid channel ID and injecting packets. This results in the communication channel to be closed.

Last Update
May 25, 2022, 4:26 p.m.
Weakness
Untrusted Pointer Dereference (CWE-822)
Summary

An authenticated, remote attacker can gain access to a dereferenced pointer contained in a request. The accesses can subsequently lead to local overwriting of memory in the CmpTraceMgr, whereby the attacker can neither gain the values read internally nor control the values to be written. If invalid memory is accessed, this results in a crash.

Last Update
May 25, 2022, 4:25 p.m.
Weakness
NULL Pointer Dereference (CWE-476)
Summary

An authenticated remote attacker can cause a null pointer dereference in the CmpSettings component of the affected CODESYS products which leads to a crash.

Impact

The CODESYS Control runtime system enables embedded or PC-based devices to be a programmable industrial controller. Such products contain communication servers for the CODESYS protocol to enable communication with clients.

Solution

Mitigation

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to Phoenix Contacts application note.
Measures to protect network-capable devices with Ethernet connection

Remediation

Phoenix Contact strongly recommends updating to the latest firmware mentioned in the list of affected products, which fixes this vulnerability.

Reported by

PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.