Kaspersky Lab publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky Lab does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.
|Researcher||Alexander Nochvay, Kaspersky Lab|
|Description||CODESYS routing protocol may disguise the source of crafted communication packets.|
|Impact||Successful exploitation of this vulnerability could allow an attacker to get access to sensitive information.|
|CVSS v3 Base Score:||5.8|
|Existence of exploit||Unknown|
|Affected products||All variants of the following CODESYS V3 products in all versions prior to V220.127.116.11 containing the CmpRouter component are affected, regardless of the CPU type or the operating system:
|Vendor mitigation||3S-Smart Software Solutions GmbH has released version V18.104.22.168 to resolve this vulnerability issue for all affected CODESYS products.
To date, 3S-Smart Software Solutions GmbH has not identified any workarounds for this vulnerability.
In general, 3S-Smart Software Solutions GmbH recommends the following defensive measures as part of the mitigation strategy to reduce the risk of exploitation of this vulnerability:
|Timeline||Jul 2018 – Vulnerabilities reported
Dec 2018 – Vendor releases patch
Dec 2018 – Advisory published