#VU24801 Resource exhaustion in CODESYS products - CVE-2020-7052
Published: January 31, 2020
Vulnerability identifier: #VU24801
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2020-7052
CWE-ID: CWE-400
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
CODESYS Control for BeagleBone
CODESYS Control for emPC-A/iMX6
CODESYS Control for IOT2000
CODESYS Control for Linux
CODESYS Control for PLCnext
CODESYS Control for PFC100
CODESYS Control for PFC200
CODESYS Control for Raspberry Pi
CODESYS Control RTE V3
CODESYS Control RTE V3 (for Beckhoff CX)
CODESYS Control Win V3 (part of the CODESYS Development System setup)
CODESYS Control V3 Runtime System Toolkit
CODESYS V3 Safety SIL2
CODESYS Gateway V3
CODESYS HMI V3
CODESYS V3 Simulation Runtime (part of the CODESYS Development System)
CODESYS Control for BeagleBone
CODESYS Control for emPC-A/iMX6
CODESYS Control for IOT2000
CODESYS Control for Linux
CODESYS Control for PLCnext
CODESYS Control for PFC100
CODESYS Control for PFC200
CODESYS Control for Raspberry Pi
CODESYS Control RTE V3
CODESYS Control RTE V3 (for Beckhoff CX)
CODESYS Control Win V3 (part of the CODESYS Development System setup)
CODESYS Control V3 Runtime System Toolkit
CODESYS V3 Safety SIL2
CODESYS Gateway V3
CODESYS HMI V3
CODESYS V3 Simulation Runtime (part of the CODESYS Development System)
Software vendor:
CODESYS
CODESYS
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to uncontrolled memory allocation in affected products containing communication servers for the CODESYS communication protocol. A remote authenticated attacker can send a specially crafted request, trigger resource exhaustion and perform a denial of service (DoS) attack.
Remediation
Install updates from vendor's website.