19 декабря 2018

KLCERT-18-036: CodeSYS Control V3 Improper Communication Address Filtering

Vendor

CodeSYS

Researcher

Alexander Nochvay, Kaspersky ICS CERT

Timeline

Timeline

  • Kaspersky ICS CERT advisory published

    19 декабря 2018

  • Vendor releases patch

    Декабрь 2018

  • Vulnerabilities reported

    Июль 2018

Description

CODESYS routing protocol may disguise the source of crafted communication packets.

Exploitability

Remotely

Attack complexity

Low

User interaction

None

Impact

Successful exploitation of this vulnerability could allow an attacker to get access to sensitive information.

Existence of exploit

Unknown

Affected products

All variants of the following CODESYS V3 products in all versions prior to V3.5.14.0 containing the CmpRouter component are affected, regardless of the CPU type or the operating system:

  • CODESYS Control for BeagleBone
  • CODESYS Control for emPC-A/iMX6
  • CODESYS Control for IOT2000
  • CODESYS Control for Linux
  • CODESYS Control for PFC100
  • CODESYS Control for PFC200
  • CODESYS Control for Raspberry Pi
  • CODESYS Control RTE V3
  • CODESYS Control RTE V3 (for Beckhoff CX)
  • CODESYS Control Win V3 (also part of the CODESYS Development System setup)
  • CODESYS Control V3 Runtime System Toolkit
  • CODESYS V3 Embedded Target Visu Toolkit
  • CODESYS V3 Remote Target Visu Toolkit
  • CODESYS V3 Safety SIL2
  • CODESYS Gateway V3
  • CODESYS HMI V3
  • CODESYS OPC Server V3
  • CODESYS PLCHandler SDK
  • CODESYS V3 Development System

Mitigation

Vendor mitigation

3S-Smart Software Solutions GmbH has released version V3.5.14.0 to resolve this vulnerability issue for all affected CODESYS products.

To date, 3S-Smart Software Solutions GmbH has not identified any workarounds for this vulnerability.

In general, 3S-Smart Software Solutions GmbH recommends the following defensive measures as part of the mitigation strategy to reduce the risk of exploitation of this vulnerability:

  • Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
  • Use firewalls to protect and separate the control network from other networks
  • Use VPN (Virtual Private Network) tunnels if remote access is required
  • Activate and apply user management and password protection features
  • Restrict access to both the development system and the control system using physical methods, the operating system’s features, etc.
  • Protect both the development system and the control system with up-to-date antivirus solutions

Kaspersky Lab publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky Lab does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

Timeline

  • Kaspersky ICS CERT advisory published

    19 декабря 2018

  • Vendor releases patch

    Декабрь 2018

  • Vulnerabilities reported

    Июль 2018