Industrial PLCs worldwide impacted by CODESYS V3 RCE flaws

Cyber Security Threat Summary:
Microsoft recently disclosed 15 high-severity vulnerabilities in CODESYS V3 software development kit (SDK), which is a software development environment widely used to program and engineer programmable logic controllers. “Over 500 device manufacturers use the CODESYS V3 SDK for programming on more than 1,000 PLC models according to the IEC 61131-3 standard, allowing users to develop custom automation sequences. The SDK also provides a Windows management interface and a simulator that allows users to test their PLC configuration and programming before deploying it in production” (Bleeping Computer, 2023). The vulnerabilities which are being tracked as CVE-2022-47378, CVE-2022-47379, CVE-2022-47380, CVE-2022-47381, CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47385, CVE-2022-47386, CVE-2022-47387, CVE 2022-47388, CVE-2022-47389, CVE-2022-47390, CVE-2022-47392, CVE-2022-47393, impact all versions of CODESYS v3 prior to version and can be exploited to put operational technology infrastructure at risk of attacks, including remote code execution and denial of service.

The issues seem to stem from the way SDK decodes tags, which are carriers of data or data structures that provide crucial instructions for the PLC to function. In particular, Microsoft noted that the tags are copied into the device buffer without verifying their size, in turn causing a buffer overflow.

Security Officer Comments:
According to Microsoft, exploiting the vulnerabilities requires deep knowledge of the proprietary protocol of CODESYS V3 as well as user authentication. However this authentication requirement can be bypassed by leveraging another flaw (CVE-2019-9013) impacting CODESYS, that exposes user credentials during transport in cleartext form. An attacker could use the unsecured usernames and passwords gathered to perform a replay attack against the PLC, successfully bypassing the user authentication process.

With millions of PLCs using the software development kit, Microsoft notes that successful exploitation of these flaws could inflict great damage on targets. For instance “a DoS attack against a device using a vulnerable version of CODESYS could enable threat actors to shut down a power plant, while remote code execution could create a backdoor for devices and let attackers tamper with operations, cause a PLC to run in an unusual way, or steal critical information.”

Suggested Correction(s):
Microsoft was able to report the discovery to CODESYS in September 2022, which has since then released patches (version to to address the flaws. CODESYS users have been advised to apply these security updates as soon as possible to prevent potential exploitation attacks.

In general users should also:

  • Make sure all critical devices, such as PLCs, routers, PCs, etc., are disconnected from the internet and segmented, regardless of whether they run CODESYS.
  • Limit access to CODESYS devices to authorized components only.
  • Due to the nature of the CVEs, which still require a username and password, if prioritizing patching is difficult, reduce risk by ensuring proper segmentation, requiring unique usernames and passwords, and reducing users that have writing authentication.