| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| CODESYS Control for BeagleBone SL | < 4.11.0.0 | |
| CODESYS Control for emPC-A/iMX6 SL | < 4.11.0.0 | |
| CODESYS Control for IOT2000 SL | < 4.11.0.0 | |
| CODESYS Control for Linux ARM SL | < 4.11.0.0 | |
| CODESYS Control for Linux SL | < 4.11.0.0 | |
| CODESYS Control for PFC100 SL | < 4.11.0.0 | |
| CODESYS Control for PFC200 SL | < 4.11.0.0 | |
| CODESYS Control for PLCnext SL | < 4.11.0.0 | |
| CODESYS Control for Raspberry Pi SL | < 4.11.0.0 | |
| CODESYS Control for WAGO Touch Panels 600 SL | < 4.11.0.0 | |
| CODESYS Runtime Toolkit for Linux or QNX | < 3.5.19.50 |
UPDATE 29.02.2024: Removed "This version is planned for January 2024." from Solution as the updated version is released.
On CODESYS Control runtimes running on Linux or QNX operating systems, successfully authenticated PLC programmers can utilize SysFile or CAA-File system libraries to inject calls to additional shell functions.
A low-privileged remote attacker could exploit the vulnerability and inject additional system commands via file system libraries which could give the attacker full control of the device.
The CODESYS Control runtime system enables embedded or PC-based devices to be a programmable industrial controller. Control programs can access local or remote IOs, communication interfaces such as serial ports or sockets, and local system functions such as the file system, the real-time clock and other OS functions.
A successfully authenticated control programmer could exploit this vulnerability to inject calls to additional operating system shell functions via the SysFile or CAA file system libraries.
Only CODESYS Control runtime systems running on Linux or QNX operating systems are affected by this vulnerability.
Mitigation
To exploit this vulnerability, a successful login with according user rights to download a PLC application is required. The online user management therefore protects from exploiting this security vulnerability.
CODESYS GmbH strongly recommends using the online user management. This not only prevents an attacker from downloading virulent code or sending malicious requests, but also suppresses starting, stopping, debugging or other actions on a known working application that could potentially disrupt a machine or system. As of version 3.5.17.0, the online user management is enforced by default.
Remediation
Update the following products to version 3.5.19.50:
• CODESYS Runtime Toolkit
Update the following products to version 4.11.0.0.
• CODESYS Control for BeagleBone SL
• CODESYS Control for emPC-A/iMX6 SL
• CODESYS Control for IOT2000 SL
• CODESYS Control for Linux ARM SL
• CODESYS Control for Linux SL
• CODESYS Control for PFC100 SL
• CODESYS Control for PFC200 SL
• CODESYS Control for PLCnext SL
• CODESYS Control for Raspberry Pi SL
• CODESYS Control for WAGO Touch Panels 600 SL
The products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store.
Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area.
This vulnerability was reported by Chuya Hayakawa of 00One, Inc. to JPCERT/CC.
JPCERT/CC reported this Vulnerability to CODESYS.
CERT@VDE coordinated with CODESYS