Target Industry

Manufacturing sector.

Overview

Programmable logic controllers (PLCs) utilised in industrial environments are now vulnerable to 15 CODESYS V3 software development kit vulnerabilities in the CODESYS V3, leading to potential remote code execution (RCE) and denial of service (DoS) attacks. The vulnerabilities have been listed below and have been classified with a range of CVSSv3 scores within the high severity level (CVSS v3: 7.5 – 8.8):

CVE-2022-47378

CVE-2022-47379

CVE-2022-47380

CVE-2022-47381

CVE-2022-47382

CVE-2022-47383

CVE-2022-47384

CVE-2022-47385

CVE-2022-47386

CVE-2022-47387

CVE 2022-47388

CVE-2022-47389

CVE-2022-47390

CVE-2022-47392

CVE-2022-47393.

Although successful exploitation requires authentication, this condition can be bypassed by exploiting CVE-2019-9013.

Impact

Successful exploitation of the vulnerabilities listed above can allow threat actors to perform RCE and DoS attacks, thus leading to the compromise of the integrity and availability of data.

Vulnerability Detection

CODESYS has released security upgrades regarding these vulnerabilities. As such, previous versions are vulnerable to potential exploitation.

Affected Products

The following products have been affected, provided that they operate versions prior to 3.5.19.0:

CODESYS Control RTE (SL)

CODESYS Control RTE (for Beckhoff CX) SL

CODESYS Control Win (SL)

CODESYS Control Runtime System Toolkit

CODESYS Safety SIL2 Runtime Toolkit

CODESYS Safety SIL2 PSP

CODESYS HMI (SL)

CODESYS Development System V3

CODESYS Development System V3 simulation runtime.

 

Additionally, the following products are affected, provided that they operate versions prior to 4.8.0.0:

CODESYS Control for BeagleBone SL

CODESYS Control for emPC-A/iMX6 SL

CODESYS Control for IOT2000 SL

CODESYS Control for Linux SL

CODESYS Control for PFC100 SL

CODESYS Control for PFC200 SL

CODESYS Control for PLCnext SL

CODESYS Control for Raspberry Pi SL

CODESYS Control for WAGO Touch Panels 600 SL.

Containment, Mitigations & Remediations

It is strongly recommended that administrators apply the upgrade to CODESYS V3 v3.5.19.0 as soon as possible. Microsoft also recommends that PLCs are to be disconnected from the internet.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

CODESYS occupies a significant portion of the integrated development environment market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, these products could emerge as a prime target. Due to the fact that CODESYS products have become an integral aspect of Industrial Control Systems (ICS) operations, threat actors will continue to exploit the associated vulnerabilities in an attempt to exfiltrate sensitive data contained therein or impact associated business operations.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

ICS Lateral Movement Technique:

T0866 – Exploitation of Remote Services

Further Information

Microsoft Advisory