A Positive Technologies application analysis expert studied the CODESYS Runtime System and discovered a high-severity vulnerability
CODESYS Group has fixed a vulnerability in the ICS software package CODESYS V3 Runtime System detected by Positive Technologies expert Denis Goryushev. CODESYS V3 Runtime System is part of CODESYS, the leading hardware-independent software, which provides a development environment for programming controller applications in accordance with the industrial automation standard IEC 61131-3. The company's products are installed in over 400 industrial companies in more than 10 countries, including Russia.
This high-severity vulnerability (CVE-2021-36764) was discovered in the CODESYS V3 Runtime System software package (version 126.96.36.199). By exploiting it, an attacker can disable the PLC and disrupt the technological process. The vulnerability (NULL Pointer Dereference) was found in the CmpGateway component. An attacker with network access to the industrial controller can send a specially formed TCP packet and interrupt the operation of the PLC. Also, it has been found that this software contains another vulnerability (Local Privilege Escalation), which is currently being reviewed by the vendor.
Artur Akhatov, ICS Security Analyst, Positive Technologies, said:
"CODESYS products are widely used all over the world, including in Russia. One of our partners uses them to create automatic fire-fighting systems for power plants. If criminals exploit this vulnerability to disrupt the operation of the fire extinguishing system, it may result in huge losses in case of a fire (for example, if the fire reaches the turbine shop)."
Denis Goryushev, Application Analysis Specialist, Positive Technologies, commented:
"The investigated version has been publicly available for quite a long time—it is strange that this vulnerability remained unnoticed until now. It is a simple logical error that occurs because there is no verification of the transmitted values: you can send a specially crafted request controlling the connection, which will lead to a zero address and a denial of service."
The vulnerability was discovered in March, and in just four months, CODESYS released a patch. To fix the vulnerability, install a new software version available on the official CODESYS website. Signs of penetration (for example, if an update cannot be installed) can be detected using solutions for continuous information security monitoring and ICS incident management, such as PT Industrial Security Incident Manager.