#VU21099 NULL pointer dereference


Published: 2019-09-13 | Updated: 2019-09-13

Vulnerability identifier: #VU21099

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-13542

CWE-ID: CWE-476

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
CODESYS Control Win V3 (part of the CODESYS Development System setup)
Client/Desktop applications / Other client software
CODESYS Control RTE V3
Client/Desktop applications / Other client software
CODESYS Control RTE V3 (for Beckhoff CX)
Client/Desktop applications / Other client software
CODESYS Control for Raspberry Pi
Client/Desktop applications / Other client software
CODESYS Control for PFC200
Client/Desktop applications / Other client software
CODESYS Control for PFC100
Client/Desktop applications / Other client software
CODESYS Control for Linux
Client/Desktop applications / Other client software
CODESYS Control for IOT2000
Client/Desktop applications / Other client software
CODESYS Control for emPC-A/iMX6
Client/Desktop applications / Other client software
CODESYS Control for BeagleBone
Client/Desktop applications / Other client software
CODESYS firmware
Server applications / SCADA systems

Vendor: CODESYS

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when processing requests. A remote authenticated attacker can send a specially crafted request from a trusted OPC UA client and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

CODESYS Control Win V3 (part of the CODESYS Development System setup): All versions

CODESYS Control RTE V3: All versions

CODESYS Control RTE V3 (for Beckhoff CX): All versions

CODESYS Control for Raspberry Pi: All versions

CODESYS Control for PFC200: All versions

CODESYS Control for PFC100: All versions

CODESYS Control for Linux: All versions

CODESYS Control for IOT2000: All versions

CODESYS Control for emPC-A/iMX6: All versions

CODESYS Control for BeagleBone: All versions

CODESYS firmware: 3.5.11.0 - 3.5.14.40


CPE

External links
http://ics-cert.us-cert.gov/advisories/icsa-19-255-04


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability