SB2021042846 - Multiple vulnerabilities in CODESYS Development System

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Security features bypass (CVE-ID: CVE-2021-29240)

The vulnerability allows a local attacke to compromise the target system.

The vulnerability exists due to the lack of validity of packages before installation in the Package Manager. A local attacker can install CODESYS packages with malicious content. 

2) Incorrect default permissions (CVE-ID: CVE-2023-3670)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions for files and folders that are set by the application. A local user with access to the system can view contents of files and directories or modify them.

Remediation

Install update from vendor's website.

References

• https://customers.codesys.com/index.php
• https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=14636&token=1ce7e6e4cbe4651989ede418450d7c82e972bdf2&download=
• https://www.codesys.com/security/security-reports.html
• https://cert.vde.com/en/advisories/VDE-2023-024