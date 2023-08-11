Millions of programmable logic controllers (PLCs) used in industrial environments worldwide are vulnerable to 15 security vulnerabilities in the CODESYS V3 software development kit (SDK). These vulnerabilities expose the PLCs to remote code execution (RCE) and denial of service (DoS) attacks.

The CODESYS V3 SDK is used by over 500 device manufacturers for programming on more than 1,000 PLC models, adhering to the IEC 61131-3 standard. This allows users to develop custom automation sequences. The SDK also includes a Windows management interface and a simulator for testing PLC configurations and programming before deployment.

The vulnerabilities in the CODESYS V3 SDK were discovered by Microsoft researchers, who reported them to CODESYS in September 2022. The vendor released security updates in April 2023 to address the identified issues. However, due to the infrequent updates of these devices, Microsoft’s security team published a detailed post to raise awareness about the risks and encourage prompt patching.

Microsoft examined two PLCs from Schneider Electric and WAGO that utilize CODESYS V3 and discovered 15 high-severity vulnerabilities. These flaws pose a significant threat, with a CVSS v3 score range of 7.5 to 8.8. The main issue lies in the tag decoding mechanism of the SDK, where tags are copied into the device buffer without size verification, enabling attackers to exploit buffer overflow vulnerabilities.

These tags contain crucial instructions for the PLC’s operation. Microsoft found the buffer overflow problem in various CODESYS V3 SDK components, including CMPTraceMgr, CMPapp, CMPDevice, CMPApp, CMPAppBP, CMPAppForce, and CMPFileTransfer.

Authentication is usually required to exploit these flaws, but Microsoft noted that this requirement can be bypassed using another vulnerability, CVE-2019-9013, which exposes user credentials in cleartext during transport. In 12 out of the 15 cases, Microsoft’s analysts successfully leveraged the vulnerabilities to achieve remote code execution on the PLCs.

CODESYS’s security advisory reveals a list of impacted products if they are running versions earlier than 3.5.19.0, regardless of the hardware and operating system configurations. To mitigate the risks, administrators are recommended to upgrade to CODESYS V3 v3.5.19.0 promptly. Additionally, Microsoft advises disconnecting PLCs and other critical industrial devices from the internet to minimize the potential for attacks.