Spoofing attack in CODESYS Client/Desktop applications

#VU16611 Spoofing attack in CODESYS Client/Desktop applications

Published: 2018-12-19

Vulnerability identifier: #VU16611

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-20026

CWE-ID: CWE-923

Exploitation vector: Network

Exploit availability: No

Vendor: CODESYS

Description

The vulnerability allows a remote attacker to conduct spoofing attack on the target system.

The vulnerability exists due to the application does not properly restrict communication channels. A remote unauthenticated attacker can spoof the source of communication packets.

Mitigation
Install update from vendor's website.

Vulnerable software versions

CODESYS Simulation Runtime: All versions

CODESYS Development System: All versions

CODESYS PLCHandler SDK: All versions

CODESYS OPC Server: All versions

CODESYS HMI: All versions

CODESYS Gateway: All versions

CODESYS Safety SIL2: All versions

CODESYS Remote Target Visu Toolkit: All versions

CODESYS Embedded Target Visu Toolkit: All versions

CODESYS Control Runtime System Toolkit: All versions

CODESYS Control Win: All versions

CODESYS Control RTE: All versions

CODESYS Control for Raspberry Pi: All versions

CODESYS Control for PFC200: All versions

CODESYS Control for PFC100: All versions

CODESYS Control for Linux: All versions

CODESYS Control for IOT2000: All versions

CODESYS Control for emPC-A/iMX6: All versions

CODESYS Control for BeagleBone: All versions

External links
http://www.codesys.com/security/security-reports.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in CODESYS Control Products