Improper access control in CODESYS Control V3

Published: 2019-09-13

Risk	Medium
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2019-9008
CWE-ID	CWE-732
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	CODESYS HMI V3 Client/Desktop applications / Other client software CODESYS V3 Simulation Runtime (part of the CODESYS Development System) Client/Desktop applications / Other client software CODESYS Control Win V3 (part of the CODESYS Development System setup) Client/Desktop applications / Other client software CODESYS Control RTE V3 (for Beckhoff CX) Client/Desktop applications / Other client software CODESYS Control RTE V3 Client/Desktop applications / Other client software CODESYS Control for Raspberry Pi Client/Desktop applications / Other client software CODESYS Control for PFC200 Client/Desktop applications / Other client software CODESYS Control for PFC100 Client/Desktop applications / Other client software CODESYS Control for IOT2000 Client/Desktop applications / Other client software CODESYS Control for emPC-A/iMX6 Client/Desktop applications / Other client software CODESYS Control for BeagleBone Client/Desktop applications / Other client software CODESYS firmware Server applications / SCADA systems
Vendor	CODESYS

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Incorrect permission assignment for critical resource

EUVDB-ID: #VU21100

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-9008

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to unintended functionality on the target system.

The vulnerability exists in the CODESYS Control V3 online user management interface due to the software may incorrectly grant access to sub objects, even if the logged-in user does not have inherited permission to access them. A remote authenticated attacker can gain access to unintended functionality and/or information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

CODESYS HMI V3: All versions

CODESYS V3 Simulation Runtime (part of the CODESYS Development System): All versions

CODESYS Control Win V3 (part of the CODESYS Development System setup): All versions

CODESYS Control RTE V3 (for Beckhoff CX): All versions

CODESYS Control RTE V3: All versions

CODESYS Control for Raspberry Pi: All versions

CODESYS Control for PFC200: All versions

CODESYS Control for PFC100: All versions

CODESYS Control for IOT2000: All versions

CODESYS Control for emPC-A/iMX6: All versions

CODESYS Control for BeagleBone: All versions

CODESYS firmware: 1.1.9.18 - 3.5.12.80

CPE2.3

cpe:2.3:a:codesys:codesys_hmi_v3:*:*:*:*:*:*:*:*

External links

http://ics-cert.us-cert.gov/advisories/icsa-19-255-03

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?