15 severe vulnerabilities in CODESYS industrial automation software patched

Attackers could potentially shut down a power plant, create back doors and steal critical information, Microsoft researchers say

15 severe vulnerabilities in CODESYS industrial automation software patched

Image:
15 severe vulnerabilities in CODESYS industrial automation software patched

Security researchers at Microsoft identified 15 vulnerabilities in CODESYS V3, the widely used hardware-independent automation software for developing and engineering controller applications.

CODESYS is used in millions of devices to implement the IEC 611131-3 standard for programmable microcontrollers (PLCs).

According to Microsoft researchers, an attack on a vulnerable device could enable threat actors to shut down or tamper with industrial operations, create a backdoor and steal critical information.

During analysis of the CODESYS V3 protocol structure, the researchers found security flaws in the tag decoding mechanism used for data transmission. This led to the discovery of 15 buffer overflow vulnerabilities in several different CODESYS components, which could be exploited for remote code execution on PLCs.

Most of the vulnerabilities carry a CVSS severity rating of 8.8.

While an attacker would need to be authenticated to exploit them, a separate known vulnerability, CVE-2019-9013, could enable credentials to be stolen via replay attack, where a valid data transmission is repeated or delayed by the attacker.

Using this technique, the researchers were able to gain full control of PLCs by using 12 of the buffer overflows they had identified.

In the hands of an attacker, the consequences could be severe, said Vladimir Tokarev of the Microsoft Threat Intelligence Community in a blog post.

"Threat actors could launch a DoS attack against a device using a vulnerable version of CODESYS to shut down industrial operations or exploit the RCE vulnerabilities to deploy a backdoor to steal sensitive data, tamper with operations, or force a PLC to operate in a dangerous way."

Microsoft disclosed the vulnerabilities to CODESYS last year and worked with the company to release patches in CODESYS V3.5.19.0. V3 versions prior to 3.5.19.0 are vulnerable.

Users are urged to update device firmware to 3.5.19.0 or above, and apply general security recommendations including ensuring the devices are not connected to the internet, segmenting networks, and tightening access requirements.

Microsoft's researchers have released an open-source tool to help identify affected devices. Microsoft 365 Defender for IoT also provides protection against exploitation of the vulnerabilities.

"The discovery of these vulnerabilities highlights the critical importance of ensuring the security of industrial control systems and underscores the need for continuous monitoring and protection of these environments," Tokarev wrote.