Share: Email | Twitter

ID

VDE-2023-026

Published

2023-07-31 09:36 (CEST)

Last update

2023-07-31 09:36 (CEST)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No┬░ Product Name Affected Version(s)
751-9301/xxx-xxx Compact Controller 100 <= FW25
751-9401/xxx-xxx Compact Controller 100 <= FW25
752-8303/8000-0002 EC 300 <= FW25
750-8100/xxx-xxx PFC100 <= FW25
750-8101/xxx-xxx PFC100 <= FW25
750-8102/xxx-xxx PFC100 <= FW25
750-8202/xxx-xxx PFC200 <= FW25
750-8203/xxx-xxx PFC200 <= FW25
750-8204/xxx-xxx PFC200 <= FW25
750-8206/xxx-xxx PFC200 <= FW25
750-8207/xxx-xxx PFC200 <= FW25
750-8210/xxx-xxx PFC200 <= FW25
750-8211/xxx-xxx PFC200 <= FW25
750-8212/xxx-xxx PFC200 <= FW25
750-8213/xxx-xxx PFC200 <= FW25
750-8214/xxx-xxx PFC200 <= FW25
750-8215/xxx-xxx PFC200 <= FW25
750-8216/xxx-xxx PFC200 <= FW25
750-8217/xxx-xxx PFC200 <= FW25
762-4x0x/8000-000x TP 600 <= FW25
762-5x0x/8000-000x TP 600 <= FW25
762-6x0x/8000-000x TP 600 <= FW25

Summary

Multiple WAGO devices are prone to vulnerabilites in the used CODESYS V3 framework.

Vulnerabilities



Last Update
July 27, 2023, 2:27 p.m.
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
July 27, 2023, 2:27 p.m.
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated, remote attacker may use a out-of-bounds write vulnerability in multiple CODESYS products in multiple versions to write data into memory which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
July 27, 2023, 2:27 p.m.
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated remote attacker may use a stack based  out-of-bounds write vulnerability in multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
July 27, 2023, 2:27 p.m.
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
July 27, 2023, 2:27 p.m.
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
July 27, 2023, 2:27 p.m.
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
July 27, 2023, 2:27 p.m.
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
July 27, 2023, 2:27 p.m.
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
July 27, 2023, 2:27 p.m.
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpAppForce Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
July 27, 2023, 2:27 p.m.
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
July 27, 2023, 2:27 p.m.
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
July 27, 2023, 2:27 p.m.
Weakness
Out-of-bounds Write (CWE-787)
Summary

An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

Last Update
July 27, 2023, 2:27 p.m.
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple CODESYS products in multiple versions an unauthorized, remote attacker may use a improper input validation vulnerability to read from invalid addresses leading to a denial of service.

Last Update
July 27, 2023, 2:27 p.m.
Weakness
Improper Input Validation (CWE-20)
Summary

An authenticated, remote attacker may use a improper input validation vulnerability in the CmpApp/CmpAppBP/CmpAppForce Components of multiple CODESYS products in multiple versions to read from an invalid address which can lead to a denial-of-service condition.

Last Update
July 27, 2023, 2:27 p.m.
Weakness
Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
Summary

An authenticated, remote attacker may use a Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple versions of multiple CODESYS products to force a denial-of-service situation.

Last Update
July 27, 2023, 2:27 p.m.
Weakness
Improper Input Validation (CWE-20)
Summary

Multiple CODESYS products in multiple versions are prone to a improper input validation vulnerability. An authenticated remote attacker may craft specific requests that use the vulnerability leading to a denial-of-service condition.

Impact

Please refer to the official CODESYS Advisories:

• Advisory2023-02_CDS-82683
• Advisory2023-03_CDS-84820

Website at https://www.codesys.com/security/security-reports.html

Solution

Mitigation

Vulnerabilities of CODESYS Advisory 2023-02:
• Please make sure that the “port authentication” option in the web-based management is activated. In this way none of the vulnerabilities can be exploited by unauthenticated users.
• Please change the default admin password.

Vulnerability of CODESYS Advisory 2023-03:
• This vulnerability exists in the CODESYS programming service which is needed for commission only. Deactivate the CODESYS programming port in the web-based management if you do not need the service.

In addition to the mitigation hints CODESYS GmbH recommends the following general defense measures to reduce the risk of exploits:

  • Use controllers and devices only in a protected environment to minimize network exposure and ensure they are not accessible from outside.
  • Use firewalls to protect and separate the control system network from other networks.
  • Use VPN (Virtual Private Networks) tunnels if remote access is required.
  • Activate and apply user management and password features.
  • Use encrypted communication links.
  • Limit the access to both development and control system by physical means, operating system features, etc.
  • Protect both development and control system by using up to date virus detection solutions.

For further impact information and risk mitigation, please refer to the official CODESYS Advisory Website at https://www.codesys.com/security/security-reports.html

Remediation

A fixed firmware for affected devices is planned for Q1 2024.

Reported by

CERT@VDE coordinated with WAGO.