Positive Technologies Uncovers Critical Vulnerabilities in CODESYS; Serious Threat to Industrial Control Systems Worldwide

Remote code execution on PLC 1 is a menace to technological processes

Positive Technologies experts Anton Dorfman, Ivan Kurnakov, Sergey Fedonin, Vyacheslav Moskvin and Denis Goryushev have identified 10 vulnerabilities in CODESYS 2 automation software for industrial control systems. Some are of high and critical severity. CODESYS has fixed the vulnerabilities and released security advisories (1, 2, 3).

«The vendor rated some of these vulnerabilities as 10 out of 10, or extremely dangerous,» says Vladimir Nazarov, Head of ICS Security at Positive Technologies. «Their exploitation can lead to remote command execution on PLC, which may disrupt technological processes and cause industrial accidents and economic losses. The most notorious example of exploiting similar vulnerabilities is by using Stuxnet. In one such attack, this malware modified a project in PLC, hampering the operation of centrifuges at Iran’s nuclear facility in Natanz. Initially, we analyzed the WAGO 750-8207 PLC. After we informed WAGO about the found vulnerabilities, the company passed the information to the people working on CODESYS, the software used as a foundation by 15 manufacturers to build PLC firmware. In addition to WAGO, that includes Beckhoff, Kontron, Moeller, Festo, Mitsubishi, HollySys and several Russian developers. In other words, a lot of controllers are affected by these vulnerabilities.»

To exploit the vulnerabilities, an attacker does not need a username or password; having network access to the industrial controller is enough. According to the researchers, the main cause of the vulnerabilities is insufficient verification of input data, which may itself be caused by failure to comply with the secure development recommendations.

The most dangerous problems were revealed in the CODESYS V2.3 web server component used by CODESYS WebVisu to display human-machine interface in a web browser. Multiple vulnerabilities discovered in this component received a CVSS 3.0 score of 10 and identifiers CVE-2021-30189, CVE-2021-30190, CVE-2021-30191, CVE-2021-30192, CVE-2021-30193, and CVE-2021-30194.

Other vulnerabilities rated 8.8 were found in the CODESYS Control V2 communication runtime system, which enables embedded PC systems to be a programmable industrial controller. Identifiers: CVE-2021-30186, CVE-2021-30188, and CVE-2021-30195.

Finally, vulnerability CVE-2021-30187 discovered in CODESYS Control V2 Linux SysFile library was rated 5.3. This vulnerability can be used to call additional PLC functions utilizing the SysFile system library. Attackers can, for example, delete some files and potentially disrupt particular technological processes.

To eliminate the vulnerabilities, companies are advised to follow the recommendations in CODESYS official notices (1, 2, 3). If it is impossible to install an update, you can detect signs of penetration by using systems for monitoring security and managing cybersecurity incidents, such as PT Industrial Security Incident Manager.

 

  1. Programmable logic controllers (PLC) are devices that fully automate the operation of various industrial equipment, mechanisms, machines, and tools.
  2. CODESYS (controller development system) is a development environment for PLC applications used by manufacturers around the world.