19 December 2018

KLCERT-18-035: CodeSYS Control V3 Access Control Inactive by Default

Timeline

Timeline

  • Kaspersky ICS CERT advisory published

    19 December 2018

  • Vendor advisory published

    December 2018

  • Vulnerability patched

    December 2018

  • Vulnerability reported

    June 2018

Description

Neither communication encryption nor user authentication is activated by default, but must be activated by the user.

Exploitability

Remotely

Attack complexity

Low

User interaction

None

Impact

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

Existence of exploit

Unknown

Affected products

All variants of the following CODESYS V3 products in all versions prior to V3.5.14.0 containing the CmpSecureChannel or CmpUserMgr component are affected, regardless of the CPU type or the operating system:

  • CODESYS Control for BeagleBone
  • CODESYS Control for emPC-A/iMX6
  • CODESYS Control for IOT2000
  • CODESYS Control for Linux
  • CODESYS Control for PFC100
  • CODESYS Control for PFC200
  • CODESYS Control for Raspberry Pi
  • CODESYS Control RTE V3
  • CODESYS Control RTE V3 (for Beckhoff CX)
  • CODESYS Control Win V3 (also part of the CODESYS setup)
  • CODESYS V3 Simulation Runtime (part of the CODESYS Development System)
  • CODESYS Control V3 Runtime System Toolkit
  • CODESYS HMI V3

Mitigation

Vendor mitigation

This issue is resolved in two steps to allow communication clients other than the CODESYS Development system to find a compatible update strategy.

In version V3.5.14.0 of the affected products, which has already been released, the CODESYS development system enables communication and user management policies in affected products to be configured online by the CODESYS development system. In the communication settings dialog of the CODESYS development system, where the path to the PLC is configured, there is a clearly visible link to CODESYS online help explaining the technical background and reminding the user to activate these features.

This allows customers to activate and enforce communication encryption and user management.

The second step will involve activating both features by default in version V3.5.15.0 of the affected products.

Version V3.5.15.0 is expected to be released in July 2019.

Encryption of online communication and online user management has been available in CODESYS Control runtime systems in several service packs already released for the affected products. Depending on the PLC runtime system, these features can be activated either by the user or by the control system’s manufacturer only. Further information on activating encrypted communication and user management can be found in CODESYS online help.

In general, 3S-Smart Software Solutions GmbH recommends the following defensive measures as part of the mitigation strategy to reduce the risk of exploitation of this vulnerability:

  • Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
  • Use firewalls to protect and separate the control network from other networks
  • Use VPN (Virtual Private Network) tunnels if remote access is required
  • Activate and apply user management and password protection features
  • Restrict access to both the development system and the control using physical methods, the operating system’s features, etc.
  • Protect both the development system and the control system with up-to-date antivirus solutions

Kaspersky Lab publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky Lab does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

Timeline

  • Kaspersky ICS CERT advisory published

    19 December 2018

  • Vendor advisory published

    December 2018

  • Vulnerability patched

    December 2018

  • Vulnerability reported

    June 2018