13 August 2019

KLCERT-19-031: CODESYS V3 Password transmission vulnerability

Researcher

Alexander Nochvay

Timeline

Timeline

  • Kaspersky ICS CERT advisory published

    June 2019

  • Vendor advisory published

    July 2019

  • Vulnerability reported

    July 2018

Description

The CODESYS Control runtime system enables embedded or PC-based devices to be a programmable industrial controller. The CODESYS Control runtime system provides several security features. To limit the access to the programming port, it allows defining users with individual passwords or also to configure a role based user management with graded access rights and multiple users. Without using the TLS based encrypted CODESYS online communication, the user credentials are insufficiently protected on transport.

Exploitability

Remotely

Attack complexity

Low

User interaction

None

Impact

Attacker able to decrypt captured credentials.

Existence of exploit

Unknown

Affected products

CODESYS Control for BeagleBone
CODESYS Control for emPC-A/iMX6
CODESYS Control for IOT2000
CODESYS Control for Linux
CODESYS Control for PFC100
CODESYS Control for PFC200
CODESYS Control for Raspberry Pi
CODESYS Control RTE V3
CODESYS Control RTE V3 (for Beckhoff CX)
CODESYS Control Win V3 (also part of the CODESYS Development System setup)
CODESYS V3 Simulation Runtime (part of the CODESYS Development System)
CODESYS Control V3 Runtime System Toolkit
CODESYS HMI V3

Mitigation

Vendor mitigation

3S-Smart Software Solutions GmbH recommends as part of the mitigation strategy the following defensive measures to reduce the risk of exploitation of this vulnerability:

  • Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
  • Use firewalls to protect and separate the control system network from other networks
  • Use VPN (Virtual Private Networks) tunnels if remote access is required
  • Activate and apply user management and password features
  • Limit the access to both development and control system by physical means, operating system features, etc.
  • Protect both development and control system by using up to date virus detecting solutions

Kaspersky Lab publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky Lab does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

Timeline

  • Kaspersky ICS CERT advisory published

    June 2019

  • Vendor advisory published

    July 2019

  • Vulnerability reported

    July 2018