Mitigations for CoDeSys Toolkit

Monday, January 14, 2013 @ 06:01 PM gHale


There are mitigation details for multiple vulnerabilities that affect the 3S-Smart Software Solutions CoDeSys Runtime Toolkit, according to at report on ICS-CERT.

There was an improper access control and a directory traversal vulnerability in the 3S CoDeSys Runtime application that independent researcher Reid Wightman of IOActive, formerly of Digital Bond, released without coordination with ICS-CERT, the vendor, or any other coordinating entity known to ICS-CERT.

RELATED STORIES
SpecView Mitigates SCADA/HMI Bug
Mitigations for SIMATIC RF Manager
ControlLogix Firmware Patches
Advantech WebAccess Bug Reported

Exploitation of these vulnerabilities would allow unauthorized access to the system and unauthorized access to the file system. The CoDeSys Runtime Toolkit is in a number of vendor’s products worldwide. 3S has developed a patch that implements a password for authentication to the system. Reid Wightman validated the 3S patch mitigates these remotely exploitable vulnerabilities.

Exploits that target these vulnerabilities are publicly available. Wightman has released proof-of-concept (PoC) code for these vulnerabilities.

The following 3S CoDeSys Runtime versions suffer from the issue:
• CoDeSys Version 2.3.X
• CoDeSys Version 2.4.X

CoDeSys Version 3.X does not suffer from these vulnerabilities.

The improper access control vulnerability allows attackers to gain unauthorized administrative access to the device. Once obtained, the attacker has the ability to perform privileged operations without a password. Attackers can also exploit the directory traversal vulnerability to read and write to the file system.

The 3S CoDeSys Runtime Toolkit is an embedded system used in a variety of different products manufactured by various vendors. The CoDeSys Runtime Toolkit is in over 260 individual products, according to the ICS-CERT report.

Devices and programmable logic controllers (PLCs) that use the embedded CoDeSys Runtime Toolkit are in various industries to include critical manufacturing, energy, transportation, and others.

3S-Smart Software Solutions is a German-based company that maintains offices in Germany and China. 3S develops software used in various PLC and industrial controllers. 3S also develops products specifically for visualization applications (HMIs), engineering desktop programming platforms, safety modules, and fieldbus controllers.

The affected product, CoDeSys Runtime Toolkit, embeds in third-party software used in various manufacturers’ SCADA systems. According to 3S, CoDeSys sees use across several sectors including critical manufacturing, building automation, energy, transportation, and others.

The CoDeSys Runtime Toolkit does not require users to authenticate when connecting to the device. An attacker could obtain administrative privileges on the device by default. This could allow the attacker to compromise the availability, integrity, and confidentiality of the device.

CVE-2012-6068 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

The CoDeSys Runtime Toolkit’s file transfer functionality does not perform input validation, which allows an attacker to access files and directories outside the intended scope. This allows an attacker to upload and download any file on the device. This could allow the attacker to affect the availability, integrity, and confidentiality of the device.

CVE-2012-6069 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

An attacker with a low skill would be able to exploit these vulnerabilities.

3S released a press release concerning these vulnerabilities to their News & Events page, which details the patch released to mitigate the vulnerabilities. The patch released by 3S implements a password for authentication to the device.

Users can download the patch from the CoDeSys Download Center. 3S also recommends the usage of standard security methods like firewalls or Virtual Private Network (VPN) access to prevent unauthorized access to the controller.



One Response to “Mitigations for CoDeSys Toolkit”


Leave a Reply

You must be logged in to post a comment.