A patch is now available to fix the vulnerabilities in the 3S-Smart Software Solutions GmbH CODESYS Gateway-Server, according to a report on ICS-CERT.
Successful exploitation of these vulnerabilities, discovered by independent researcher Aaron Portnoy of Exodus Intelligence, could allow remote code execution. The Gateway-Server is a third-party component found in multiple control systems manufacturer’s products. These remotely exploitable vulnerabilities affect products primarily found in the energy, critical manufacturing, and industrial automation industries.
Gateway-Server, prior to ver. 22.214.171.124 suffers from the issue.
The 3S security patch covers directory traversal and memory operation restriction vulnerabilities.
3S-Smart Software Solutions GmbH, based in Germany, is the manufacturer of CODESYS, used in the industrial automation field.
CODESYS sees use in virtually all sectors of the automation industry by manufacturers of industrial controllers or intelligent automation devices, by end users in many different industries, or by system integrators who offer automation solutions with CODESYS.
The 3S CODESYS Gateway-Server performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. This could allow the attacker to send a specially crafted packet over TCP/1211 to cause a crash, read from unintended memory locations, or execute arbitrary code stored in a separate memory location.
CVE-2012-4704 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.4.
The 3S CODESYS Gateway-Server uses external input to construct a pathname intended to identify a file or directory located underneath a restricted parent directory. However, the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location outside the restricted directory. An attacker can use a specially crafted directory path to exploit this vulnerability.
CVE-2012-4705 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.
The 3S CODESYS Gateway-Server fails to check for a signed value that could lead to an attacker overwriting the buffer with malicious code. This vulnerability ends up exploited by sending a specially crafted packet over TCP/1211 affecting the availability of the system.
CVE-2012-4706 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.
The 3S CODESYS Gateway-Server can read or write to a memory location that is outside the intended boundary of the buffer. As a result, an attacker may execute arbitrary code, alter the intended control flow, read sensitive information, or cause a system crash.
CVE-2012-4707 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.
By sending a specially crafted packet to the 3S CODESYS Gateway-Server over Port TCP/1211, an attacker can cause a stack-based buffer overflow. This condition could allow an attacker to cause a system crash or denial of service.
CVE-2012-4708 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.
No known public exploits specifically target these vulnerabilities. However, an attacker with a moderate skill would be able to exploit these vulnerabilities.
3S has produced a security patch that mitigates these vulnerabilities. The patch is available on the download site for CODESYS.