3S Fixes Null Pointer Exception

Wednesday, October 21, 2015 @ 12:10 PM gHale

3S-Smart Software Solutions GmbH created a new version to mitigate a null pointer exception vulnerability in its CODESYS Gateway Server, according to a report on ICS-CERT.

Ashish Kamble of Qualys, who discovered the remotely exploitable vulnerability, tested the new version to validate it resolves the problem.

3S Fixes Null Pointer Dereference Hole
SDG Hole Exploit Code Released
Nordex Fixes Wind Farm SCADA App
Omron Fixes Multiple Vulnerabilities

The CODESYS Gateway Server, Version and prior versions suffer from the issue.

Null pointer exceptions cause the server to crash creating a denial of service.

3S-Smart Software Solutions GmbH’s headquarters is in Kempten, Germany, and has distributors in more than 10 countries worldwide.

The affected product, CODESYS Gateway Server, is a software-defined server. This server primarily sees action in the critical manufacturing and energy sectors. 3S-Smart Software Solutions GmbH estimates that these products see use on a global basis.

In the null pointer exception issue, the server fails in handling certain HTTP POST/GET requests leading to a null pointer exception causing the server process to crash. The result of the crash would be a denial of service.

CVE-2015-6484 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

No known public exploits specifically target this vulnerability. An attacker with a low skill would be able to exploit this vulnerability.

3S-Smart Software Solutions GmbH released a new version of CODESYS, Version, which addresses the null pointer exception vulnerability. CODESYS, Version is now available.

Click here for additional information about the new version of CODESYS or questions about the vulnerability.