A recent disclosure has revealed a series of 16 high-severity security vulnerabilities in the CODESYS V3 software development kit (SDK). This suite of flaws could potentially lead to remote code execution and denial-of-service conditions, thereby posing significant risks to operational technology (OT) sectors.
The vulnerabilities, tracked from CVE-2022-47378 to CVE-2022-47393 and collectively referred to as CoDe16, have a notable CVSS score of 8.8, except for CVE-2022-47391, rated at 7.5. A majority of these vulnerabilities are classified as buffer overflow vulnerabilities, which can be particularly damaging in OT environments.
“The exploitation of these vulnerabilities, affecting all versions of CODESYS V3 prior to version 3.5.19.0, could jeopardize OT infrastructure, leading to attacks like remote code execution (RCE) and denial-of-service (DoS),” stated Vladimir Tokarev from the Microsoft Threat Intelligence Community in an official report.
While in-depth knowledge of the proprietary protocols used in CODESYS V3 and user authentication are required for successful exploitation, the potential consequences are serious, including significant interruptions to critical automation processes. The uncovered remote code execution vulnerabilities hold the potential for malicious actors to create backdoors in OT devices, manipulating the operation of programmable logic controllers (PLCs).
Exploiting these vulnerabilities demands user authentication and the successful evasion of security mechanisms such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). To circumvent user authentication, attackers could utilize a known vulnerability, CVE-2019-9013, which allows credentials to be stolen via a replay attack against the PLCs, subsequently leading to control being gained over the device through buffer overflow triggers.
Patches to address these vulnerabilities were released in April 2023, immediately following their identification. A brief overview of the vulnerabilities highlights various scenarios in which crafted communication requests can lead to denial-of-service conditions and unauthorized memory access—emphasizing the need for prompt remediation within affected systems.
The implications extend across multiple sectors due to the widespread adoption of CODESYS technology by various device vendors. “One vulnerability could influence many sectors and device types, especially given that multiple vulnerabilities exist,” cautioned Tokarev.
In the event of exploitation, threat actors may initiate DoS attacks on devices utilizing vulnerable versions of CODESYS, effectively shutting down industrial operations. Furthermore, RCE vulnerabilities could enable attackers to deploy backdoors for data theft, tampering with operations, or urging PLCs to operate dangerously, creating severe safety and operational issues.
Considering the tactics outlined by the MITRE ATT&CK framework, tactics such as initial access and privilege escalation are relevant to understanding how these vulnerabilities might be exploited, highlighting the necessity for vigilance in cybersecurity practices.
