Incorrect permission assignment for critical resource in CODESYS products - CVE-2019-9008
Published: September 13, 2019 / Updated: September 13, 2019
Vulnerability identifier: #VU21100
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-9008
CWE-ID: CWE-732
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: CODESYS
Affected software:
CODESYS HMI V3
CODESYS V3 Simulation Runtime (part of the CODESYS Development System)
CODESYS Control Win V3 (part of the CODESYS Development System setup)
CODESYS Control RTE V3 (for Beckhoff CX)
CODESYS Control RTE V3
CODESYS Control for Raspberry Pi
CODESYS Control for PFC200
CODESYS Control for PFC100
CODESYS Control for IOT2000
CODESYS Control for emPC-A/iMX6
CODESYS Control for BeagleBone
CODESYS firmware
CODESYS HMI V3
CODESYS V3 Simulation Runtime (part of the CODESYS Development System)
CODESYS Control Win V3 (part of the CODESYS Development System setup)
CODESYS Control RTE V3 (for Beckhoff CX)
CODESYS Control RTE V3
CODESYS Control for Raspberry Pi
CODESYS Control for PFC200
CODESYS Control for PFC100
CODESYS Control for IOT2000
CODESYS Control for emPC-A/iMX6
CODESYS Control for BeagleBone
CODESYS firmware
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to unintended functionality on the target system.
The vulnerability exists in the CODESYS Control V3 online user management interface due to the software may incorrectly grant access to sub objects, even if the logged-in user does not have inherited permission to access them. A remote authenticated attacker can gain access to unintended functionality and/or information.
How to mitigate CVE-2019-9008
Install updates from vendor's website.