Full Report
This article continues the discussion of research on popular OEM technologies that are implemented in the products of a large number of vendors. Vulnerabilities in such technologies are highly likely to affect the security of many, if not all, products that use them. In some cases, this means hundreds of products that are used in industrial environments and in critical infrastructure facilities. This is the case with CODESYS Runtime, a framework by CODESYS designed for developing and executing industrial control system software.
Analysis Summary
Based on the research provided regarding the CODESYS Runtime framework (specifically focusing on the vulnerabilities identified in Part 3 of the Kaspersky ICS CERT series), here is the summarized technical breakdown.
# Vulnerability: CODESYS Runtime Multiple Vulnerabilities (Part 3)
## CVE Details
- **CVE ID:** CVE-2018-20031, CVE-2018-20032, CVE-2018-20033
- **CVSS Score:** 10.0 (Critical)
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-20 (Improper Input Validation)
## Affected Systems
- **Products:** All PLC devices based on CODESYS Runtime System V3 (a popular OEM framework for industrial controllers).
- **Versions:** All versions of CODESYS Runtime System V3 prior to V3.5.14.0.
- **Configurations:** Systems where the CODESYS communication server is accessible via the network (typically TCP port 1217 or 11740).
## Vulnerability Description
The research identifies multiple critical flaws in the way the CODESYS communication protocol handles incoming data packets:
- **Heap-based Buffer Overflows:** These vulnerabilities exist in the component responsible for processing communication requests. By sending a specially crafted packet, an attacker can trigger a memory corruption.
- **Lack of Authorization:** The communication protocol (in default configurations of older versions) does not require authentication to perform sensitive operations.
- **Protocol Logic Flaws:** Deficiencies in how the runtime handles structured data types allow for arbitrary memory access (read/write) or remote code execution (RCE) in the context of the PLC runtime process.
## Exploitation
- **Status:** PoC available (developed by researchers); no widespread exploitation in the wild at the time of publication, but high risk for targeted attacks.
- **Complexity:** Medium (requires knowledge of the proprietary CODESYS protocol).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Ability to read sensitive process data and logic).
- **Integrity:** High (Ability to modify PLC logic, control parameters, and firmware).
- **Availability:** High (Potential to crash the service, leading to a Denial of Service (DoS) of critical industrial processes).
## Remediation
### Patches
- **CODESYS Runtime System V3:** Update to version **V3.5.14.0** or later.
- **Vendor-Specific Patches:** Since CODESYS is an OEM technology, users must obtain firmware updates directly from their PLC manufacturer (e.g., Schneider Electric, WAGO, Eaton, Beckhoff, etc.).
### Workarounds
- **Network Segmentation:** Isolate PLC networks from the corporate network and the internet using industrial firewalls.
- **Access Control:** Enable the "Online User Management" feature within CODESYS to require authentication for communication.
- **VPN:** Use secure encrypted tunnels for any remote engineering access to the PLC.
## Detection
- **Indicators of Compromise:** Unusual traffic on TCP ports 1217 (Gateway) and 11740. Repeated restarts of the PLC runtime service.
- **Detection Methods:**
- Use Intrusion Detection Systems (IDS) with rules tailored to detect malformed CODESYS protocol headers.
- Monitor for unauthorized "Login" or "Write" commands in the PLC log files.
## References
- **Vendor Advisory:** hxxps[://]customers.codesys[.]com/index.php?eID=dumpFile&t=f&f=12940&token=81977717726715f33333333
- **Kaspersky ICS CERT:** hxxps[://]ics-cert.kaspersky[.]com/publications/reports/2019/09/18/security-research-codesys-runtime-a-plc-control-framework-part-3/
- **CISA Advisory:** hxxps[://]www.cisa[.]gov/news-events/ics-advisories/icsa-19-050-04