3S-Smart Software Solutions GmbH created a new version to mitigate a null pointer exception vulnerability in its CODESYS Gateway Server, according to a report on ICS-CERT.
Ashish Kamble of Qualys, who discovered the remotely exploitable vulnerability, tested the new version to validate it resolves the problem.
The CODESYS Gateway Server, Version 126.96.36.199 and prior versions suffer from the issue.
Null pointer exceptions cause the server to crash creating a denial of service.
3S-Smart Software Solutions GmbH’s headquarters is in Kempten, Germany, and has distributors in more than 10 countries worldwide.
The affected product, CODESYS Gateway Server, is a software-defined server. This server primarily sees action in the critical manufacturing and energy sectors. 3S-Smart Software Solutions GmbH estimates that these products see use on a global basis.
In the null pointer exception issue, the server fails in handling certain HTTP POST/GET requests leading to a null pointer exception causing the server process to crash. The result of the crash would be a denial of service.
CVE-2015-6484 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
No known public exploits specifically target this vulnerability. An attacker with a low skill would be able to exploit this vulnerability.
3S-Smart Software Solutions GmbH released a new version of CODESYS, Version 188.8.131.52, which addresses the null pointer exception vulnerability. CODESYS, Version 184.108.40.206 is now available.
Click here for additional information about the new version of CODESYS or questions about the vulnerability.