Full Report
The CODESYS Control runtime system enables embedded or PC-based devices to be a programmable industrial controller. The CODESYS Control runtime system provides several security features. To limit the access to the programming port, it allows defining users with individual passwords or also to configure a role based user management with graded access rights and multiple []
Analysis Summary
# Vulnerability: CODESYS V3 Password Transmission Vulnerability
## CVE Details
- **CVE ID:** CVE-2019-9013
- **CVSS Score:** 8.8 (High) - *Note: While the article text notes "0.0", the provided vector string [CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H] calculates to 8.8.*
- **CWE:** CWE-319 (Cleartext Transmission of Sensitive Information) / Insufficient transportation protection.
## Affected Systems
- **Products:** Various CODESYS V3 Runtime Systems including:
- CODESYS Control (BeagleBone, emPC-A/iMX6, IOT2000, Linux, PFC100, PFC200, Raspberry Pi)
- CODESYS Control RTE V3 (including Beckhoff CX)
- CODESYS Control Win V3 (and Development System setup)
- CODESYS V3 Simulation Runtime
- CODESYS Control V3 Runtime System Toolkit
- CODESYS HMI V3
- **Versions:** V3 versions prior to the implementation of TLS-based encryption for online communication.
- **Configurations:** Systems where TLS-based encrypted CODESYS online communication is **not** enabled.
## Vulnerability Description
The CODESYS Control runtime system provides user management and password features to restrict access to programming ports. However, when the TLS-based encryption for online communication is not utilized, user credentials (passwords) are insufficiently protected during transport. An attacker who can capture network traffic can intercept and potentially decrypt or view these credentials in transit, as they are not transmitted over a secure channel.
## Exploitation
- **Status:** Unknown (No public PoC listed in the advisory).
- **Complexity:** Low
- **Attack Vector:** Adjacent (Typically requires access to the local industrial network or adjacent network segment).
## Impact
- **Confidentiality:** High (Credentials can be intercepted).
- **Integrity:** High (Intercepted credentials allow unauthorized modification of PLC logic).
- **Availability:** High (Unauthorized access allows stopping or crashing the controller).
## Remediation
### Patches
- **Recommended Action:** Users should update to versions of the CODESYS Development System and Runtime that support and enforce **TLS-based encrypted online communication**.
### Workarounds
- **Network Isolation:** Use controllers only in protected environments; ensure they are not accessible from the internet.
- **Micro-segmentation:** Use firewalls to separate the control network from other corporate networks.
- **Secure Remote Access:** Use Virtual Private Networks (VPN) tunnels for any required remote access.
- **Physical Security:** Limit physical access to both the development stations and the control systems.
- **Endpoint Protection:** Ensure development systems use up-to-date antivirus/security solutions.
## Detection
- **Indicators of Compromise:** Unusual network traffic on CODESYS programming ports; unauthorized logins or logic changes.
- **Detection Methods:**
- Network traffic analysis to identify unencrypted credential transmission.
- Audit logs within CODESYS (if enabled) to monitor for unauthorized user access.
## References
- **Vendor Advisory:** hxxps://customers.codesys[.]com/index.php?eID=dumpFile&t=f&f=12941&token=262143cc9cb9b06821d3745a331df4643c79a953&download=
- **Kaspersky ICS CERT:** hxxps://ics-cert.kaspersky[.]com/advisories/2019/08/13/klcert-19-031-codesys-v3-password-transmission-vulnerability/
- **NVD:** hxxps://nvd.nist[.]gov/vuln/detail/CVE-2019-9013