The Hacker News Logo
Subscribe to Newsletter

Critical infrastructure managing software vulnerable to Unauthorized access

Reid Wightman from security firm ioActive reported that there is an undocumented backdoor available in  CoDeSys software that actually used to manage equipment in power plants, military environments, and nautical ships.

The bug allow malicious hackers to access sensitive systems without authorization, Ars said. The CoDeSys tool will grant a command shell to anyone who knows the proper command syntax and inner workings, leaving systems that are connected to the public Internet open to malicious tampering and There is absolutely no authentication needed to perform this privileged command, Reid mention.
This software has been used in industrial control systems sold by 261 different manufacturers. 3S-Smart Software Solutions designs CoDeSys and recently issued an advisory that recommends users set a password, but  he is able to develop two exploit shells , one is codesys-shell.py (to get the CoDeSys command shell without authentication) and other , codesys-transfer.py (read or write files to the PLC without authentication) which works fine without authentication.

This is another big security vulnerabilities that threaten power plants and other critical infrastructure both in the United States and elsewhere in the world. Wightman said a simple search using the Shodan, showed 117 devices directly connected to the Internet.

Wightman said that additional vulnerability details about issue and exploit code that automates the hack  can be added to Metasploit framework.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.