Advisory ID : ngCERT-2023-0034
CVE(s): CVE-2019-9013; CVE-2022-47379; CVE-2022- 47380; CVE-2022-47381; CVE-2022-47382; CVE-2022- 47383; CVE-2022-47384; CVE-2022-47385; CVE-2022- 47386; CVE-2022-47387; CVE-2022-47388; CVE-2022- 47389; CVE-2022-47390; CVE-2022-47391; CVE-2022- 47392; CVE-2022-47393
Summary: Multiple high-severity vulnerabilities in the CODESYS V3 software development kit (SDK) were recently discovered by Microsoft's cyber physical system experts. The researchers were able to trigger a buffer overflow in a variety of industrial control system devices, revealing a number of vulnerabilities in the process. These flaws could result in a denial of service (DoS) or remote code execution (RCE) attacks.
Damage/Probability: CRITICAL/HIGH
Description: The CODESYS V3 software development kit (SDK) is a software development environment used industry-wide to program programmable logic controllers (PLCs) that aids manufacturers to implement IEC 61131-3, which is a vendor independent international standard for programmable controller programming language for industrial automation. To be able to conduct this attack, researchers had to bypass user authentication, which was done by exploiting CVE-2019-9013. This allows for the use of a “replay attack against the PLC using the unsecured username and password’s hash that were sent during the sign-in process, allowing bypass of user authentication process.” They then had to create a new channel for the attack before signing in to the device with the stolen credentials. A malicious packet that triggers buffer overflow is then inserted to exploit the vulnerabilities and gain full control of the device.
Consequences: Exploitation of any of the vulnerabilities could lead to either a Denial of Service (DoS) attack or remote code execution (RCE) attack. As these vulnerabilities affect the security of Industrial control systems that are used in critical infrastructure such as power, this could lead to major disruptions and outages. Also, it can allow attackers to create backdoors that can be used to cause mayhem or exfiltrate critical information.
The complete exploit steps are summarized as follows:
(a) Steal credentials with CVE-2019-9013.
(b) Create a new channel for the attack.
(c) Sign-in to the device with the stolen credentials.
(d) Exploit the vulnerabilities with a malicious packet that triggers buffer overflow.
(e) Gain full control of the device.
Solution: Countermeasures to put into place include:
1. Patch any network devices that are affected. Update the device firmware to version 3.5.19.0 or higher after checking with the device manufacturers for any available fixes.
2. Regardless of whether they run CODESYS, make sure that all crucial hardware—PLCs, routers, PCs, etc.—is segmented and separated from the internet.
3. Only authorized components should be allowed access to CODESYS devices.
4. If prioritizing patching is challenging due to the nature of CVEs, which still call for a login and password, reduce risk by ensuring effective segmentation, requiring unique usernames and passwords, and minimizing the number of users who have writing authentication.
References:
https://www.microsoft.com/en-us/security/blog/2023/08/10/multiple-high-severity-vulnerabilities-in-codesys-v3-sdk-could-lead-to-rce-or-dos/
https://securityaffairs.com/149474/security/codesys-v3-sdk-rce-dos.html
https://github.com/microsoft/CoDe16