SB2011122501 - Multiple vulnerabilities in CODESYS

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2011-5058)

The vulnerability allows a remote non-authenticated attacker to manipulate or delete data.

The CmbWebserver.dll module of the Control service in 3S CoDeSys 3.4 SP4 Patch 2 allows remote attackers to create arbitrary directories under the web root by specifying a non-existent directory using (backslash) characters in an HTTP GET request.

2) Heap-based buffer overflow (CVE-ID: CVE-2011-5008)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in Integer overflow in the GatewayService component in 3S CoDeSys 3.4 SP4 Patch 2. A remote attacker can use a large size value in the packet header to trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

3) NULL pointer dereference (CVE-ID: CVE-2011-5009)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via (1) a crafted Content-Length in an HTTP POST or (2) an invalid HTTP request method.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• http://aluigi.altervista.org/adv/codesys_1-adv.txt
• http://secunia.com/advisories/47018
• http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-336-01A.pdf
• https://exchange.xforce.ibmcloud.com/vulnerabilities/72339
• http://seclists.org/bugtraq/2011/Nov/178
• http://www.osvdb.org/77386
• https://exchange.xforce.ibmcloud.com/vulnerabilities/71531
• http://www.osvdb.org/77388
• http://www.osvdb.org/77389
• https://exchange.xforce.ibmcloud.com/vulnerabilities/71533