#VU16611 Spoofing attack in CODESYS products - CVE-2018-20026

Vulnerability identifier: #VU16611

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-20026

CWE-ID: CWE-923

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
CODESYS Simulation Runtime
CODESYS Development System
CODESYS PLCHandler SDK
CODESYS OPC Server
CODESYS HMI
CODESYS Gateway
CODESYS Safety SIL2
CODESYS Remote Target Visu Toolkit
CODESYS Embedded Target Visu Toolkit
CODESYS Control Runtime System Toolkit
CODESYS Control Win
CODESYS Control RTE
CODESYS Control for Raspberry Pi
CODESYS Control for PFC200
CODESYS Control for PFC100
CODESYS Control for Linux
CODESYS Control for IOT2000
CODESYS Control for emPC-A/iMX6
CODESYS Control for BeagleBone

Software vendor:
CODESYS

The vulnerability allows a remote attacker to conduct spoofing attack on the target system.

The vulnerability exists due to the application does not properly restrict communication channels. A remote unauthenticated attacker can spoof the source of communication packets.

Install update from vendor's website.

• https://www.codesys.com/security/security-reports.html