Kaspersky Lab publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky Lab does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.
|Researcher||Alexander Nochvay, Kaspersky Lab|
|Description||CODESYS communication servers use insufficiently random values.|
|Impact||Successful exploitation of this vulnerability could allow an attacker to get access to sensitive information.|
|CVSS v3 Base Score:||9.4|
|Existence of exploit||Unknown|
|Affected products||All variants of the following CODESYS V3 products in all versions prior V126.96.36.199 containing communication servers for the CODESYS communication protocol are affected, regardless of the CPU type or the operating system:
CODESYS Control for emPC-A/iMX6
|Vendor mitigation||3S-Smart Software Solutions GmbH has released version V188.8.131.52 to solve the noted vulnerability issue for all affected CODESYS products.
Currently, 3S-Smart Software Solutions GmbH has not identified any workarounds for this vulnerability.
In general, 3S-Smart Software Solutions GmbH recommends the following defensive measures as part of the mitigation strategy to reduce the risk of exploitation of this vulnerability:
|Timeline||Jul 2018 – Vulnerabilities reported
Dec 2018 – Vendor releases patch
Dec 2018 – Advisory published