Share: Email | Twitter

ID

VDE-2024-026

Published

2024-06-04 08:00 (CEST)

Last update

2024-06-04 10:52 (CEST)

Vendor(s)

CODESYS GmbH

Product(s)

Article No┬░ Product Name Affected Version(s)
CODESYS Control for BeagleBone SL < 4.12.0.0
CODESYS Control for emPC-A/iMX6 SL < 4.12.0.0
CODESYS Control for IOT2000 SL < 4.12.0.0
CODESYS Control for Linux ARM SL < 4.12.0.0
CODESYS Control for Linux SL < 4.12.0.0
CODESYS Control for PFC100 SL < 4.12.0.0
CODESYS Control for PFC200 SL < 4.12.0.0
CODESYS Control for PLCnext SL < 4.12.0.0
CODESYS Control for Raspberry Pi SL < 4.12.0.0
CODESYS Control for WAGO Touch Panels 600 SL < 4.12.0.0
CODESYS Control RTE (for Beckhoff CX) SL < 3.5.20.10
CODESYS Control RTE (SL) < 3.5.20.10
CODESYS Control Win (SL) < 3.5.20.10
CODESYS HMI (SL) < 3.5.20.10
CODESYS Runtime Toolkit < 3.5.20.10

Summary

The CODESYS OPC UA stack of the CODESYS Control runtime system may incorrectly calculate the required buffer size for received requests/responses. This can lead to a crash of the CODESYS runtime system during the subsequent initialization of the receive buffer with zero.


Last Update:

May 23, 2024, 11:36 a.m.

Weakness

Incorrect Calculation of Buffer Size  (CWE-131) 

Summary

An unauthenticated remote attacker can use a malicious OPC UA client to send a crafted request to affected CODESYS products which can cause a DoS due to incorrect calculation of buffer size.


Impact

The CODESYS OPC UA stack, implemented by the CmpOPCUAStack component, is an optional part of the CODESYS runtime system. Both the CODESYS OPC UA Server and the CODESYS OPC UA Client of the CODESYS Control runtime system use the CODESYS OPC UA Stack as a common implementation. The OPC UA protocol enables data exchange between the CODESYS runtime system and OPC UA clients such as SCADA or HMIs, or OPC UA servers such as PLCs or other devices.

If a CODESYS runtime system containing the CmpOPCUAStack component receives a specially crafted request/response, the required buffer size in the CODESYS OPC UA server/client may be incorrectly calculated. This can lead to a crash of the CODESYS runtime system during the subsequent initialization of the receive buffer with zero.

An attacker can exploit this vulnerability by using a malicious OPC UA client to send a crafted request to CODESYS products with an affected CODESYS OPC UA server. Conversely, CODESYS products with an affected CODESYS OPC UA client can be crashed if they have connected to a malicious OPC UA server. CODESYS Control runtime systems usually contain both the OPC UA client and the server. The CODESYS HMI only includes the OPC UA client.

Solution

Mitigation

Starting from version 3.5.15.0 of the affected products, the incorrect calculation of the buffer size can be avoided if the maximum supported array length of the OPC UA stack of the CODESYS Control runtime system is limited to a value of 10129639 or less.

This can be achieved by adding the following setting in the CODESYS runtime configuration file (e.g. CODESYSControl.cfg):
[CmpOPCUAStack]
Stack.MaxArrayLenth=10129639

Remediation

Update the following products to version 3.5.20.10.

  • CODESYS Control RTE (SL)
  • CODESYS Control RTE (for Beckhoff CX) SL
  • CODESYS Control Win (SL)
  • CODESYS Runtime Toolkit
  • CODESYS HMI (SL)

Update the following products to version 4.12.0.0.

  • CODESYS Control for BeagleBone SL
  • CODESYS Control for emPC-A/iMX6 SL
  • CODESYS Control for IOT2000 SL
  • CODESYS Control for Linux ARM SL
  • CODESYS Control for Linux SL
  • CODESYS Control for PFC100 SL
  • CODESYS Control for PFC200 SL
  • CODESYS Control for PLCnext SL
  • CODESYS Control for Raspberry Pi SL
  • CODESYS Control for WAGO Touch Panels 600 SL

The release of version 4.12.0.0 is expected for end of June 2024.

The products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS download area.

Reported by

CERT@VDE coordinated with CODESYS

This issue was reported by ABB Schweiz AG.