13 August 2019
KLCERT-19-031: CODESYS V3 Password transmission vulnerability
Vendor
CodeSYS
-
CVE-IDS
-
KLCERT
KLCERT-19-031
Timeline
Timeline
-
Kaspersky ICS CERT advisory published
22 June 2019
-
Vendor published advisory
July 2019
-
Vulnerabilities reported
July 2018
Description
CVSS v3
Exploitability
Remotely
Attack complexity
User interaction
Impact
Existence of exploit
Unknown
Affected products
CODESYS Control for BeagleBone
CODESYS Control for emPC-A/iMX6
CODESYS Control for IOT2000
CODESYS Control for Linux
CODESYS Control for PFC100
CODESYS Control for PFC200
CODESYS Control for Raspberry Pi
CODESYS Control RTE V3
CODESYS Control RTE V3 (for Beckhoff CX)
CODESYS Control Win V3 (also part of the CODESYS Development System setup)
CODESYS V3 Simulation Runtime (part of the CODESYS Development System)
CODESYS Control V3 Runtime System Toolkit
CODESYS HMI V3
Mitigation
Vendor mitigation
3S-Smart Software Solutions GmbH recommends as part of the mitigation strategy the following defensive measures to reduce the risk of exploitation of this vulnerability:
- Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
- Use firewalls to protect and separate the control system network from other networks
- Use VPN (Virtual Private Networks) tunnels if remote access is required
- Activate and apply user management and password features
- Limit the access to both development and control system by physical means, operating system features, etc.
- Protect both development and control system by using up to date virus detecting solutions
Kaspersky Lab publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky Lab does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.
Timeline
-
Kaspersky ICS CERT advisory published
22 June 2019
-
Vendor published advisory
July 2019
-
Vulnerabilities reported
July 2018