Your one-stop web resource providing safety and security information to manufacturers

Public reports are out showing an improper access control vulnerability affecting 3S-Software CoDeSys, which also allows for multiple vulnerabilities affecting the WAGO IPC 758-870, an embedded Linux programmable logic controller (PLC).

An attacker could exploit these vulnerabilities to gain unauthorized access or to make unauthenticated configuration changes, which may include arbitrary code, according to a report on ICS-CERT.

ABB WebWare Server Vulnerability
Wonderware Fixes Security Holes
Rockwell Patches FactoryTalk
Ecava Patches IntegraXor Vulnerability

The improper access control vulnerability ended up released by Reid Wightman of Digital Bond, without coordination with either the vendor or ICS-CERT.

The vendors are aware of the report and they are confirming the vulnerabilities and will release any mitigations.

Schneider Bold

With CoDeSys, a third party product used on PLCs and engineering workstations, the following is remotely exploitable: Improper access control that could lead to a loss of integrity.

The Wago report showed the following remotely exploitable vulnerabilities: Use of hard-coded password that could lead to loss of integrity, and an improper access control that could lead to loss of integrity, possible arbitrary code execution

Pin It on Pinterest

Share This