VDE-2023-021 | CERT@VDE

2023-08-03 12:48 (CEST) VDE-2023-021

CODESYS: Vulnerability in CODESYS Development System allows execution of binaries

Share: Email | Twitter

ID

VDE-2023-021

Published

2023-08-03 12:48 (CEST)

Last update

2023-08-03 12:48 (CEST)

Vendor(s)

CODESYS GmbH

Product(s)

Article No°	Product Name	Affected Version(s)
	CODESYS Development System	3.5.17.0 < 3.5.19.20

Summary

The CODESYS Development System is vulnerable to the execution of malicious binaries from the current working directory.

CVE ID

CVE-2023-3662

Last Update:

Aug. 3, 2023, 12:48 p.m.

Severity

7.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)

Weakness

Uncontrolled Search Path Element (CWE-427)

Summary

In CODESYS Development System versions from 3.5.17.0 and prior to 3.5.19.20 a vulnerability allows for execution of binaries from the current working directory in the users context .

Details

cert.vde.com

Impact

Users could unknowingly launch a malicious binary placed by a local attacker.

Solution

Update the CODESYS Development System to version 3.5.19.20.

The CODESYS Development System can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store.

Alternatively, you will find further information on obtaining the software update in the CODESYS Update area

Reported by

This vulnerability was reported by Carlo Di Dato of Deloitte Risk Advisory Italia - Vulnerability Research Team.
Coordination done by CERT@VDE.