Multiple vulnerabilities in CODESYS products

Published: 2019-09-13

Risk	High
Patch available	YES
Number of vulnerabilities	5
CVE-ID	CVE-2019-13548 CVE-2019-13532 CVE-2019-13538 CVE-2019-13542 CVE-2019-9009
CWE-ID	CWE-121 CWE-22 CWE-79 CWE-476 CWE-399
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	CODESYS V3 Remote Target Visu Toolkit Client/Desktop applications / Other client software CODESYS V3 Embedded Target Visu Toolkit Client/Desktop applications / Other client software CODESYS Control V3 Runtime System Toolkit Client/Desktop applications / Other client software CODESYS HMI V3 Client/Desktop applications / Other client software CODESYS Control Win V3 (part of the CODESYS Development System setup) Client/Desktop applications / Other client software CODESYS Control RTE V3 (for Beckhoff CX) Client/Desktop applications / Other client software CODESYS Control RTE V3 Client/Desktop applications / Other client software CODESYS Control for Raspberry Pi Client/Desktop applications / Other client software CODESYS Control for PFC200 Client/Desktop applications / Other client software CODESYS Control for PFC100 Client/Desktop applications / Other client software CODESYS Control for Linux Client/Desktop applications / Other client software CODESYS Control for IOT2000 Client/Desktop applications / Other client software CODESYS Control for emPC-A/iMX6 Client/Desktop applications / Other client software CODESYS Control for BeagleBone Client/Desktop applications / Other client software CODESYS Development System V3 Client/Desktop applications / Other client software CODESYS V3 Simulation Runtime (part of the CODESYS Development System) Client/Desktop applications / Other client software CODESYS Gateway V3 Client/Desktop applications / Other client software CODESYS V3 Safety SIL2 Client/Desktop applications / Other client software CODESYS firmware Server applications / SCADA systems
Vendor	CODESYS

Security Bulletin

This security bulletin contains information about 5 vulnerabilities.

1) Stack-based buffer overflow

EUVDB-ID: #VU21103

Risk: High

CVSSv3.1:

CVE-ID: CVE-2019-13548

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the CODESYS V3 web server. A remote unauthenticated attacker can send a specially crafted HTTP or HTTPS request, trigger stack-based buffer overflow and cause a denial-of-service condition or execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

CODESYS V3 Remote Target Visu Toolkit: All versions

CODESYS V3 Embedded Target Visu Toolkit: All versions

CODESYS Control V3 Runtime System Toolkit: All versions

CODESYS HMI V3: All versions

CODESYS Control Win V3 (part of the CODESYS Development System setup): All versions

CODESYS Control RTE V3 (for Beckhoff CX): All versions

CODESYS Control RTE V3: All versions

CODESYS Control for Raspberry Pi: All versions

CODESYS Control for PFC200: All versions

CODESYS Control for PFC100: All versions

CODESYS Control for Linux: All versions

CODESYS Control for IOT2000: All versions

CODESYS Control for emPC-A/iMX6: All versions

CODESYS Control for BeagleBone: All versions

CODESYS firmware: 1.1.9.18 - 3.5.14.40

Fixed software versions

CPE2.3

cpe:2.3:a:codesys:codesys_v3_remote_target_visu_toolkit:*:*:*:*:*:*:*:*

External links

http://ics-cert.us-cert.gov/advisories/icsa-19-255-01

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Path traversal

EUVDB-ID: #VU21102

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-13532

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the CODESYS V3 web server. A remote attacker can send a specially crafted HTTP or HTTPS request and read arbitrary files outside the restricted working directory of the controller.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

CODESYS firmware: 1.1.9.18 - 3.5.14.40

CODESYS Control for BeagleBone: All versions

CODESYS Control for emPC-A/iMX6: All versions

CODESYS Control for IOT2000: All versions

CODESYS Control for Linux: All versions

CODESYS Control for PFC100: All versions

CODESYS Control for PFC200: All versions

CODESYS Control for Raspberry Pi: All versions

CODESYS Control RTE V3 (for Beckhoff CX): All versions

CODESYS Control RTE V3: All versions

CODESYS Control Win V3 (part of the CODESYS Development System setup): All versions

CODESYS HMI V3: All versions

CODESYS Control V3 Runtime System Toolkit: All versions

CODESYS V3 Embedded Target Visu Toolkit: All versions

CODESYS V3 Remote Target Visu Toolkit: All versions

Fixed software versions

CPE2.3

cpe:2.3:a:codesys:codesys_firmware:3.5.9.20:*:*:*:*:*:*:*

External links

http://ics-cert.us-cert.gov/advisories/icsa-19-255-01

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

3) Cross-site scripting

EUVDB-ID: #VU21101

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-13538

CWE-ID:

Exploit availability:

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the CODESYS V3 Library Manager. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

CODESYS Development System V3: 3.5.9.40 - 3.5.14.40

Fixed software versions

CPE2.3

cpe:2.3:a:codesys:codesys_development_system_v3:3.5.10.0:*:*:*:*:*:*:*

External links

http://ics-cert.us-cert.gov/advisories/icsa-19-255-02

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) NULL pointer dereference

EUVDB-ID: #VU21099

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-13542

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when processing requests. A remote authenticated attacker can send a specially crafted request from a trusted OPC UA client and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

CODESYS Control Win V3 (part of the CODESYS Development System setup): All versions

CODESYS Control RTE V3: All versions

CODESYS Control RTE V3 (for Beckhoff CX): All versions

CODESYS Control for Raspberry Pi: All versions

CODESYS Control for PFC200: All versions

CODESYS Control for PFC100: All versions

CODESYS Control for Linux: All versions

CODESYS Control for IOT2000: All versions

CODESYS Control for emPC-A/iMX6: All versions

CODESYS Control for BeagleBone: All versions

CODESYS firmware: 3.5.11.0 - 3.5.14.40

Fixed software versions

CPE2.3

cpe:2.3:a:codesys:codesys_control_win_v3_part_of_the_codesys_development_system_setup:*:*:*:*:*:*:*:*

External links

http://ics-cert.us-cert.gov/advisories/icsa-19-255-04

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Resource Management Errors

EUVDB-ID: #VU21098

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-9009

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to cause a denial of service (DoS) condition on the target system.

The vulnerability exists due to unspecified error. A remote attacker can send a specially crafted request and cause a denial of service condition.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

CODESYS V3 Simulation Runtime (part of the CODESYS Development System): All versions

CODESYS HMI V3: All versions

CODESYS Gateway V3: All versions

CODESYS V3 Safety SIL2: All versions

CODESYS Control V3 Runtime System Toolkit: All versions

CODESYS Control Win V3 (part of the CODESYS Development System setup): All versions

CODESYS Control RTE V3 (for Beckhoff CX): All versions

CODESYS Control RTE V3: All versions

CODESYS Control for Raspberry Pi: All versions

CODESYS Control for PFC200: All versions

CODESYS Control for PFC100: All versions

CODESYS Control for Linux: All versions

CODESYS Control for IOT2000: All versions

CODESYS Control for emPC-A/iMX6: All versions

CODESYS Control for BeagleBone: All versions

CODESYS firmware: 1.1.9.18 - 3.5.14.40

Fixed software versions

CPE2.3

cpe:2.3:a:codesys:codesys_v3_simulation_runtime_part_of_the_codesys_development_system:*:*:*:*:*:*:*:*

External links

http://ics-cert.us-cert.gov/advisories/icsa-19-255-05

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?