Vulnerability identifier: #VU16610
Vulnerability risk: Low
CVSSv3.1: 8.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-330
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
CODESYS Simulation Runtime
Client/Desktop applications /
Other client software
CODESYS Development System
Client/Desktop applications /
Other client software
CODESYS PLCHandler SDK
Client/Desktop applications /
Other client software
CODESYS OPC Server
Client/Desktop applications /
Other client software
CODESYS HMI
Client/Desktop applications /
Other client software
CODESYS Gateway
Client/Desktop applications /
Other client software
CODESYS Safety SIL2
Client/Desktop applications /
Other client software
CODESYS Remote Target Visu Toolkit
Client/Desktop applications /
Other client software
CODESYS Embedded Target Visu Toolkit
Client/Desktop applications /
Other client software
CODESYS Control Runtime System Toolkit
Client/Desktop applications /
Other client software
CODESYS Control Win
Client/Desktop applications /
Other client software
CODESYS Control RTE
Client/Desktop applications /
Other client software
CODESYS Control for Raspberry Pi
Client/Desktop applications /
Other client software
CODESYS Control for PFC200
Client/Desktop applications /
Other client software
CODESYS Control for PFC100
Client/Desktop applications /
Other client software
CODESYS Control for Linux
Client/Desktop applications /
Other client software
CODESYS Control for IOT2000
Client/Desktop applications /
Other client software
CODESYS Control for emPC-A/iMX6
Client/Desktop applications /
Other client software
CODESYS Control for BeagleBone
Client/Desktop applications /
Other client software
Vendor: CODESYS
Description
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The vulnerability exists due to weak random values. A remote unauthenticated attacker can bypass security restrictions to affect the confidentiality and integrity of data stored on the device.
Mitigation
Install update from vendor's website.
Vulnerable software versions
CODESYS Simulation Runtime: All versions
CODESYS Development System: All versions
CODESYS PLCHandler SDK: All versions
CODESYS OPC Server: All versions
CODESYS HMI: All versions
CODESYS Gateway: All versions
CODESYS Safety SIL2: All versions
CODESYS Remote Target Visu Toolkit: All versions
CODESYS Embedded Target Visu Toolkit: All versions
CODESYS Control Runtime System Toolkit: All versions
CODESYS Control Win: All versions
CODESYS Control RTE: All versions
CODESYS Control for Raspberry Pi: All versions
CODESYS Control for PFC200: All versions
CODESYS Control for PFC100: All versions
CODESYS Control for Linux: All versions
CODESYS Control for IOT2000: All versions
CODESYS Control for emPC-A/iMX6: All versions
CODESYS Control for BeagleBone: All versions
External links
http://www.codesys.com/security/security-reports.html
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.