Cybersecurity researchers on Thursday disclosed as many as ten critical vulnerabilities impacting CODESYS automation software that could be exploited to achieve remote code execution on programmable logic controllers (PLCs).
"To exploit the vulnerabilities, an attacker does not need a username or password; having network access to the industrial controller is enough," researchers from Positive Technologies said. "The main cause of the vulnerabilities is insufficient verification of input data, which may itself be caused by failure to comply with the secure development recommendations."
The Russian cybersecurity firm noted that it detected the vulnerabilities on a PLC offered by WAGO, which, among other automation technology companies such as Beckhoff, Kontron, Moeller, Festo, Mitsubishi, and HollySys, use CODESYS software for programming and configuring the controllers.
CODESYS offers a development environment for programming controller applications for use in industrial control systems. The German software company credited Vyacheslav Moskvin, Denis Goryushev, Anton Dorfman, Ivan Kurnakov, and Sergey Fedonin of Positive Technologies and Yossi Reuven of SCADAfence for reporting the flaws.
Six of the most severe flaws were identified in the CODESYS V2.3 web server component used by CODESYS WebVisu to visualize a human-machine interface (HMI) in a web browser. The vulnerabilities could potentially be leveraged by an adversary to send specially-crafted web server requests to trigger a denial-of-service condition, write or read arbitrary code to and from a control runtime system's memory, and even crash the CODESYS web server.
All the six bugs have been rated 10 out of 10 on the CVSS scale —
- CVE-2021-30189 - Stack-based Buffer Overflow
- CVE-2021-30190 - Improper Access Control
- CVE-2021-30191 - Buffer Copy without Checking Size of Input
- CVE-2021-30192 - Improperly Implemented Security Check
- CVE-2021-30193 - Out-of-bounds Write
- CVE-2021-30194 - Out-of-bounds Read
Separately, three other weaknesses (CVSS scores: 8.8) disclosed in the Control V2 runtime system could be abused to craft malicious requests that may result in a denial-of-service condition or being utilized for remote code execution.
- CVE-2021-30186 - Heap-based Buffer Overflow
- CVE-2021-30188 - Stack-based Buffer Overflow
- CVE-2021-30195 - Improper Input Validation
Lastly, a flaw found in the CODESYS Control V2 Linux SysFile library (CVE-2021-30187, CVSS score: 5.3) could be used to call additional PLC functions, in turn allowing a bad actor to delete files and disrupt critical processes.
"An attacker with low skills would be able to exploit these vulnerabilities," CODESYS cautioned in its advisory, adding it found no known public exploits that specifically target them.
"Their exploitation can lead to remote command execution on PLC, which may disrupt technological processes and cause industrial accidents and economic losses," said Vladimir Nazarov, Head of ICS Security at Positive Technologies. "The most notorious example of exploiting similar vulnerabilities is by using Stuxnet."
The disclosure of the CODESYS flaws comes close on the heels of similar issues that were addressed in Siemens SIMATIC S7-1200 and S7-1500 PLCs that could be exploited by attackers to remotely gain access to protected areas of the memory and achieve unrestricted and undetected code execution.