Fifteen bugs in Codesys' industrial control systems software could be exploited to shut down power plants or steal information from critical infrastructure environments, experts have claimed.
In a report and more published on GitHub, Microsoft threat intel specialist Vladimir Tokarev says the Windows giant – no stranger to security holes, cough – disclosed details of vulnerabilities in the Codesys V3 SDK to the Germany-based vendor in September 2022. Codesys has since patched the bugs.
The SDK is widely used, we're told, and provides a development environment for engineers to configure and test programmable logic controllers (PLCs) for industrial systems. The firmware in a good deal of PLCs contains library routines from Codesys to run the engineers' programs, and it's this embedded code that is exploitable, resulting in equipment being vulnerable to attack.
While Microsoft's team focused on the firmware in PLCs made by Schneider Electric and Wago, Codesys V3 is available for about 1,000 device types from more than 500 manufacturers, which totals up to "several million devices" that use Codesys code to implement IEC 61131-3 – the international standard for vendor-neutral industrial equipment programming languages – according to the bug hunters.
So if your operational technology (OT) environment uses devices with any of this buggy firmware, update now if you can to avoid remote code execution (RCE) or denial of service (DoS) attacks.
The 15 vulnerabilities, tracked as CVE-2022-47379 through CVE-2022-47393 inclusive, all received CVSS severity ratings of 8.8 out of 10, except for CVE-2022-47391, which earned a 7.5. It's the only one that can't be abused for RCE.
A dozen of these are buffer overflow vulnerabilities, and in a separate write-up about security holes that also lists all 15 CVEs, Microsoft's threat intel team describes the exploit process thus:
We were able to apply 12 of the buffer overflow vulnerabilities to gain RCE of PLCs. Exploiting the vulnerabilities requires user authentication as well as bypassing the Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) used by both the PLCs. To overcome the user authentication, we used a known vulnerability, CVE-2019-9013, which allows us to perform a replay attack against the PLC using the unsecured username and password's hash that were sent during the sign-in process, allowing us to bypass the user authentication process.
To be clear, these aren't easy exploits. They require user authentication and "deep knowledge of the proprietary protocol of Codesys V3 and the structure of the different services that the protocol uses," as Redmond notes. That means anyone trying to hijack these controllers will need to gain a foothold in the equipment.
But considering how high the stakes are — and the potential for causing mass disruption by shutting down factories or turning off power — we'd highly suggest patching ASAP. For one thing, the flaws could be exploited to quietly disrupt operations, create unsafe or dangerous situations, or affect machinery in ways outside of their expected programming, a la Stuxnet.
As Microsoft warned: "A DoS attack against a device using a vulnerable version of Codesys could enable threat actors to shut down a power plant, while remote code execution could create a backdoor for devices and let attackers tamper with operations, cause a PLC to run in an unusual way, or steal critical information." ®
Source: The register