#VU19621 Insufficient verification of data authenticity in CODESYS products - CVE-2019-9010
Published: August 2, 2019 / Updated: August 2, 2019
Vulnerability identifier: #VU19621
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-9010
CWE-ID: CWE-345
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vulnerable software:
CODESYS Development System
CODESYS Gateway
CODESYS Control Runtime System Toolkit
CODESYS Control for Raspberry Pi
CODESYS Control for PFC200
CODESYS Control for PFC100
CODESYS Control for Linux
CODESYS Control for IOT2000
CODESYS Control for emPC-A/iMX6
CODESYS Control for BeagleBone
CODESYS firmware
CODESYS Development System
CODESYS Gateway
CODESYS Control Runtime System Toolkit
CODESYS Control for Raspberry Pi
CODESYS Control for PFC200
CODESYS Control for PFC100
CODESYS Control for Linux
CODESYS Control for IOT2000
CODESYS Control for emPC-A/iMX6
CODESYS Control for BeagleBone
CODESYS firmware
Software vendor:
CODESYS
CODESYS
Description
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists within the CmpGateway component that fails to properly verify ownership of the communication channel. A remote attacker can perform man-in-the-middle attack and impersonate the communication party.
Remediation
3S-Smart Software Solutions GmbH has released 3.5.14.20 and 3.5.15.0 versions to address this vulnerability.