A recent revelation of 16 critical vulnerabilities in the CODESYS V3 software development toolkit could expose operational technology (OT) environments to threats, specifically remote code execution and denial-of-service attacks under certain conditions.
These vulnerabilities, labeled from CVE-2022-47378 to CVE-2022-47393 and collectively referred to as CoDe16, have an 8.8 CVSS score, with the lone exception of CVE-2022-47391 which is rated at 7.5. A majority, 12 in number, are buffer overflow issues.
“All versions of CODESYS V3 before 126.96.36.199 are vulnerable. If exploited, these flaws could compromise OT infrastructure, leading to possibilities like remote code execution (RCE) and denial-of-service (DoS),” stated Vladimir Tokarev from the Microsoft Threat Intelligence Community.
Although exploitation requires both user authentication and a thorough understanding of CODESYS V3’s proprietary protocol, successful breaches might lead to severe outcomes, including service disruptions and unwanted manipulations of vital automation systems.
Tokarev further highlighted the potential risks, “The remote code execution vulnerabilities could be manipulated to introduce backdoors in OT equipment, compromising programmable logic controllers (PLCs). This could serve as a gateway for information pilferage.”
For exploitation, bypassing security measures like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) of the PLCs is essential, added Tokarev. A known flaw, CVE-2019-9013 with an 8.8 CVSS score, can be utilized to illicitly obtain credentials through a replay attack targeting the PLC. Subsequently, these vulnerabilities can be exploited to induce a buffer overflow, granting control over the device.
The vulnerabilities were rectified in April 2023. Here’s a concise breakdown:
- CVE-2022-47378 to CVE-2022-47393: These vulnerabilities, post-authentication, allow specific crafted communication requests to manipulate various components, potentially causing denial-of-service conditions, memory overwriting, or even remote code execution.
Tokarev cautioned, “CODESYS is widely employed across numerous vendors. A single vulnerability can compromise multiple sectors, devices, and industries, not to mention the risks associated with multiple vulnerabilities.”
He added a bleak prediction, “Adversaries might exploit the DoS vulnerability to halt industrial activities using a susceptible CODESYS version or leverage the RCE flaws to implant backdoors, facilitating unauthorized access, operation tampering, or even causing PLCs to function hazardously.”