{"id":131328,"date":"2023-08-10T17:00:00","date_gmt":"2023-08-11T00:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=131328"},"modified":"2024-07-03T12:07:26","modified_gmt":"2024-07-03T19:07:26","slug":"multiple-high-severity-vulnerabilities-in-codesys-v3-sdk-could-lead-to-rce-or-dos","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/08\/10\/multiple-high-severity-vulnerabilities-in-codesys-v3-sdk-could-lead-to-rce-or-dos\/","title":{"rendered":"Multiple high severity vulnerabilities in CODESYS V3 SDK could lead to RCE or DoS\u00a0"},"content":{"rendered":"\n

Microsoft\u2019s cyberphysical system researchers recently identified multiple high-severity vulnerabilities in the CODESYS V3 software development kit (SDK), a software development environment widely used to program and engineer programmable logic controllers (PLCs). Exploitation of the discovered vulnerabilities, which affect all versions of CODESYS V3 prior to version 3.5.19.0, could put operational technology (OT) infrastructure at risk of attacks, such as remote code execution (RCE) and denial of service (DoS). The discovery of these vulnerabilities highlights the critical importance of ensuring the security of industrial control systems and underscores the need for continuous monitoring and protection of these environments.<\/p>\n\n\n\n

CODESYS is compatible<\/a> with approximately 1,000 different device types from over 500 manufacturers and several million devices that use the solution to implement the international industrial standard IEC (International Electrotechnical Commission) 611131-3. A DoS attack against a device using a vulnerable version of CODESYS could enable threat actors to shut down a power plant, while remote code execution could create a backdoor for devices and let attackers tamper with operations, cause a PLC to run in an unusual way, or steal critical information. Exploiting the discovered vulnerabilities, however, requires user authentication, as well as deep knowledge of the proprietary protocol of CODESYS V3 and the structure of the different services that the protocol uses.<\/p>\n\n\n\n

Microsoft researchers reported the discovery to CODESYS in September 2022 and worked closely with CODESYS to ensure that the vulnerabilities are patched. Information on the patch released by CODESYS to address these vulnerabilities can be found here: Security update for CODESYS Control V3<\/a>. <\/a>We strongly urge CODESYS users to apply these security updates<\/a> as soon as possible. We also thank CODESYS for their collaboration and recognizing the urgency in addressing these vulnerabilities. <\/p>\n\n\n\n

Below is a list of the discovered vulnerabilities discussed in this blog: <\/p>\n\n\n\n

CVE<\/strong> <\/td>CODESYS component <\/strong> <\/td>CVSS score<\/strong><\/td>Impact<\/strong> <\/td><\/tr>
CVE-2022-47379<\/a><\/td>CMPapp<\/td>8.8<\/td>DoS, RCE <\/td><\/tr>
CVE-2022-47380<\/a><\/td>CMPapp<\/td>8.8<\/td><\/tr>
CVE-2022-47381<\/a><\/td>CMPapp<\/td>8.8<\/td><\/tr>
CVE-2022-47382<\/a><\/td>CmpTraceMgr<\/td>8.8<\/td><\/tr>
CVE-2022-47383<\/a><\/td>CmpTraceMgr<\/td>8.8<\/td><\/tr>
CVE-2022-47384<\/a><\/td>CmpTraceMgr<\/td>8.8<\/td><\/tr>
CVE-2022-47385<\/a><\/td>CmpAppForce<\/td>8.8<\/td><\/tr>
CVE-2022-47386<\/a><\/td>CmpTraceMgr<\/td>8.8<\/td><\/tr>
CVE-2022-47387<\/a><\/td>CmpTraceMgr<\/td>8.8<\/td><\/tr>
CVE-2022-47388<\/a><\/td>CmpTraceMgr<\/td>8.8<\/td><\/tr>
CVE-2022-47389<\/a><\/td>CMPTraceMgr<\/td>8.8<\/td><\/tr>
CVE-2022-47390<\/a><\/td>CMPTraceMgr<\/td>8.8<\/td><\/tr>
CVE-2022-47391<\/a><\/td>CMPDevice<\/td>7.5<\/td>DoS <\/td><\/tr>
CVE-2022-47392<\/a><\/td>CmpApp\/ CmpAppBP\/ CmpAppForce<\/td>8.8<\/td><\/tr>
CVE-2022-47393<\/a><\/td>CmpFiletransfer<\/td>8.8<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

In this blog, we provide an overview of the CODESYS V3 protocol structure, highlighting several key components, and describe the main issue that led to our discovery of the vulnerabilities. The full research and the results can be found in our report on Github<\/a>. We also provide an open-source forensics tool<\/a> to help users identify impacted devices, security recommendations for those affected, and detection information for potentially related threats.<\/p>\n\n\n\n

CODESYS: A widely used PLC solution<\/h2>\n\n\n\n

CODESYS is a software development environment that provides automation specialists with tools for developing automated solutions. CODESYS is a platform-independent solution that helps device manufacturers implement the international industrial standard IEC 611131-3. The SDK also has management software that runs on Windows machines and a simulator for testing environments, allowing users to test their PLC systems before deployment. The proprietary protocols used by CODESYS use either UDP or TCP for communication between the management software and PLC.<\/p>\n\n\n\n

CODESYS is widely used and can be found in several industries, including factory automation, energy automation, and process automation, among others. <\/p>\n\n\n

\"Heat
Figure 1. CODESYS devices exposed to the internet (based on Microsoft Defender Threat Intelligence data)<\/em> <\/figcaption><\/figure>\n\n\n\n

Discovering the CODESYS vulnerabilities<\/h2>\n\n\n\n

The vulnerabilities were uncovered by Microsoft researchers while examining the security of the CODESYS V3 proprietary protocol as part of our goal to improve the security standards and create forensic tools for OT devices. During this research, we examined the structure and security of the protocol that is used by many types and vendors of PLCs.  We examined the following two PLCs that use CODESYS V3 from different vendors: Schneider Electric Modicon TM251 and WAGO PFC200.<\/p>\n\n\n

\"The
Figure 2. The two examined PLCs<\/em><\/figcaption><\/figure>\n\n\n\n

CODESYS V3 protocol<\/h2>\n\n\n\n

The CODESYS network protocol works over either TCP or UDP:<\/p>\n\n\n\n