Share: Email | Twitter

ID

VDE-2023-024

Published

2023-07-28 09:45 (CEST)

Last update

2023-07-28 09:46 (CEST)

Vendor(s)

CODESYS GmbH

Product(s)

Article No┬░ Product Name Affected Version(s)
CODESYS Development System 3.5.9.0 < 3.5.17.0
CODESYS Scripting 4.0.0.0 < 4.1.0.0

Last Update:

July 28, 2023, 9:44 a.m.

Weakness

Exposure of Resource to Wrong Sphere  (CWE-668) 

Summary

In CODESYS Development System 3.5.9.0 to 3.5.17.0 and CODESYS Scripting 4.0.0.0 to 4.1.0.0 unsafe directory permissions would allow an attacker with local access to the workstation to place potentially harmful and disguised scripts that could be executed by legitimate users.


Impact

Please consult CODESYS Security Advisory 2023-09 for more details.

Solution

Update CODESYS Development System to version 3.5.17.0 or newer.

Update CODESYS Scripting to version 4.1.0.0 or newer.

This version can be downloaded and installed directly with the CODESYS Installer. A CODESYS Development
System version of 3.5.17.0 or newer is required.

Alternatively, you can visit the CODESYS update area for more information on how to obtain the software
update.


Reported by

This vulnerability was discovered by Sina Kheirkhah (@SinSinology) of Summoning Team
(@SummoningTeam) working with Trend Micro Zero Day Initiative.
CODESYS coordinated with CERT@VDE.