3S-Smart Software Solutions GmbH released new versions to handle path traversal and stack-based buffer overflow vulnerabilities in its CODESYS V3 web server, according to a report for CISA.
Successful exploitation of these remotely exploitable vulnerabilities, discovered by Ivan Cheyrezy of Schneider Electric, may allow an attacker to create a denial-of-service condition, to perform remote code execution, or to access restricted files.
In one vulnerability, specially crafted http or https requests may allow an attacker access to files outside the restricted working directory of the controller. CVE-2019-13532 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
In addition, a specially crafted http or https requests could cause a stack overflow, which may create a denial-of-service condition or allow remote code execution.
CVE-2019-13548 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 10.0.
The following CODESYS V3 runtime systems, all versions prior to 184.108.40.206, containing the web server (CmpWebServer) suffer from the issues:
• CODESYS Control for BeagleBone
• CODESYS Control for emPC-A/iMX6
• CODESYS Control for IOT2000
• CODESYS Control for Linux
• CODESYS Control for PFC100
• CODESYS Control for PFC200
• CODESYS Control for Raspberry Pi
• CODESYS Control RTE V3
• CODESYS Control RTE V3 (for Beckhoff CX)
• CODESYS Control Win V3 (also part of the CODESYS Development System setup)
• CODESYS HMI V3
• CODESYS Control V3 Runtime System Toolkit
• CODESYS V3 Embedded Target Visu Toolkit
• CODESYS V3 Remote Target Visu Toolkit
In CODESYS V3, the web server is an optional part of the CODESYS runtime system.
The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
Germany-based 3S-Smart Software Solutions GmbH has released Versions 220.127.116.11, 18.104.22.168, and 22.214.171.124 to resolve the vulnerabilities for the affected CODESYS products.
Click on the CODESYS update page for more information on how to obtain the software update.
Updating to Version 126.96.36.199 or higher is recommended over Version 188.8.131.52, which does not resolve the vulnerabilities for all affected products. Further details from 3S-Smart Software Solutions GmbH can be found in a security report.
As part of a security strategy, 3S-Smart Software Solutions GmbH recommends the following general defense measures to reduce the risk of exploits:
• Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
• Use firewalls to protect and separate the control system network from other networks
• Use VPN (virtual private networks) tunnels if remote access is required
• Activate and apply user management and password features
• Limit the access to both development and control system by physical means, operating system features
• Protect both development and control system by using up-to-date virus detecting solutions
For more information and general recommendations for protecting machines and plants, see also the CODESYS security whitepaper.