Cybersecurity researchers at Russian cybersecurity firm Positive Technologies discovered as many as ten critical flaws impacting CODESYS automation computer software that could be exploited to remote code execution on programmable logic controllers (PLCs).
The Russian cybersecurity firm initially discovered the vulnerabilities in a programmable logic controller (PLC) available by WAGO, but further investigation revealed that the issues were actually introduced by CODESYS software that is used by more than a dozen automation technology firms including Beckhoff, Kontron, Moeller, Festo, Mitsubishi, HollySys and several Russian companies.
CODESYS offers a better environment for programming controller programs used in industrial control systems. The German software organization credited Vyacheslav Moskvin, Denis Goryushev, Anton Dorfman, Ivan Kurnakov, and Sergey Fedonin of Good Technologies and Yossi Reuven of SCADAfence for identifying the vulnerabilities.
“To exploit the vulnerabilities, an attacker does not need to have a username or password obtaining network obtain to the industrial controller is ample. The main result of the vulnerabilities is insufficient verification of enter information, which may well itself be triggered by failure to comply with the protected improvement tips,” scientists from Positive Technologies stated.
Six of the most critical flaws were discovered in the CODESYS V2.3 web server component used by CODESYS WebVisu to visualize a human-device interface (HMI) in a web browser. The flaws could perhaps be leveraged by an adversary to send specifically-designed web server requests to trigger a denial-of-support condition, publish or study arbitrary code to and from a manage runtime system’s memory.
All the 6 flaws have been rated critical on the CVSS scale —
• CVE-2021-30189 – Stack-dependent Buffer Overflow
• CVE-2021-30190 – Improper Accessibility Handle
• CVE-2021-30191 – Buffer Copy without Checking Sizing of Input
• CVE-2021-30192 – Improperly Executed Security Examine
• CVE-2021-30193 – Out-of-bounds Publish
• CVE-2021-30194 – Out-of-bounds Examine
“Their exploitation can guide to distant command execution on PLC, which could disrupt technological procedures and result in industrial incidents and financial losses. The most infamous illustration of exploiting very similar vulnerabilities is by applying Stuxnet,” explained Vladimir Nazarov, Head of ICS Security at Beneficial Technologies.
CODESYS has published an advisory for its CODESYS V2 web server, Runtime Toolkit, and PLCWinNT products to address the vulnerabilities. The company has published separate advisories for the critical, high, and medium-severity issues while recommending users to install the updates.
Last month, the Treasury Department of the U.S. government sanctioned Positive Technologies for allegedly supporting Kremlin intelligence agencies. However, the company said it will continue to responsibly disclose the flaws discovered by its employees in the products of major U.S. firms.