Millions of PLC (programmable logic controllers) used in industrial environments worldwide are at risk to 15 vulnerabilities in the CODESYS V3 software development kit, allowing remote code execution (RCE) and denial of service (DoS) attacks.
Over 500 device manufacturers use the CODESYS V3 SDK for programming on more than 1,000 PLC models according to the IEC 61131-3 standard, allowing users to develop custom automation sequences.
The SDK also provides a Windows management interface and a simulator that allows users to test their PLC configuration and programming before deploying it in production.
The fifteen flaws in the CODESYS V3 SDK were discovered by Microsoft researchers, who reported them to CODESYS in September 2022. The vendor released security updates to address the identified problems in April 2023.
Due to the nature of those devices, they are not frequently updated to fix security problems, so Microsoft’s security team published a detailed post yesterday to raise awareness of the risks and to help the patching pick up pace.
The CODESYS vulnerabilities
Microsoft examined two PLCs from Schnieder Electric and WAGO that use CODESYS V3 and discovered 15 high-severity vulnerabilities (CVSS v3: 7.5 – 8.8).
The flaws are: CVE-2022-47378, CVE-2022-47379, CVE-2022-47380, CVE-2022-47381, CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47385, CVE-2022-47386, CVE-2022-47387, CVE 2022-47388, CVE-2022-47389, CVE-2022-47390, CVE-2022-47392, CVE-2022-47393.
The main issue is in the tag decoding mechanism of the SDK, specifically the fact that tags are copied into the device buffer without verifying their size, giving attackers a buffer overflow opportunity.
Those tags are carriers of data or data structures that provide crucial instructions for the function of the PLC.
The buffer overflow problem isn’t isolated, as Microsoft found it in 15 CODESYS V3 SDK components, including CMPTraceMgr, CMPapp, CMPDevice, CMPApp, CMPAppBP, CMPAppForce, and CMPFileTransfer.
Although the flaws require authentication to exploit, Microsoft says this requirement can be bypassed by using CVE-2019-9013, another flaw impacting CODESYS V3 that exposes user credentials during transport in cleartext form, as demonstrated below.
In 12 of the 15 cases, Microsoft’s analysts were able to leverage the flaw to gain remote code execution on the PLC.
CODESYS’s security advisory lists the following products as impacted if they run versions before 184.108.40.206, regardless of the hardware and OS configuration:
- CODESYS Control RTE (SL)
- CODESYS Control RTE (for Beckhoff CX) SL
- CODESYS Control Win (SL)
- CODESYS Control Runtime System Toolkit
- CODESYS Safety SIL2 Runtime Toolkit
- CODESYS Safety SIL2 PSP
- CODESYS HMI (SL)
- CODESYS Development System V3
- CODESYS Development System V3 simulation runtime
In addition to the above, the following products are impacted on versions prior to 220.127.116.11:
- CODESYS Control for BeagleBone SL
- CODESYS Control for emPC-A/iMX6 SL
- CODESYS Control for IOT2000 SL
- CODESYS Control for Linux SL
- CODESYS Control for PFC100 SL
- CODESYS Control for PFC200 SL
- CODESYS Control for PLCnext SL
- CODESYS Control for Raspberry Pi SL
- CODESYS Control for WAGO Touch Panels 600 SL
Admins are advised to upgrade to CODESYS V3 v18.104.22.168 as soon as possible, while Microsoft also recommends disconnecting PLCs and other critical industrial devices from the internet.