Multiple Vulnerabilities for CoDeSys

Tuesday, January 10, 2012 @ 06:01 PM gHale


There are multiple vulnerabilities in the 3S Smart Software Solutions CoDeSys product, according to an ICS-CERT report.

Independent researcher Luigi Auriemma publicly disclosed five vulnerabilities along with proof-of-concept (PoC) exploit code, including the vulnerability previously coordinated with ICS-CERT by Celil Unuver SignalSec LLC, without coordination with 3S Smart Software Solutions, ICS-CERT.

RELATED STORIES
Tecnomatix FactoryLink Holes
Siemens Patches ALM Holes
Siemens Default Password Issues
7-Technologies Vulnerability Part II

ICS-CERT has coordinated these vulnerabilities with 3S Smart Software Solutions, and they have produced new versions for CoDeSys V3 and V2.3 that mitigate these vulnerabilities. Auriemma confirmed the new versions fully resolve the reported vulnerabilities.

The vulnerabilities include: Integer overflow; stack overflow; content-length NULL pointer; invalid HTTP request NULL pointer, and folders creation.

Successful exploitation of these vulnerabilities may allow an attacker to cause a denial of service (DoS) or to execute arbitrary code.

Germany-based 3S Smart Software Solutions GmgH produces CoDeSys.

CoDeSys sees use across several sectors of the automation industry by manufacturers of industrial controllers or intelligent automation devices and by end users in different industries including system integrators who offer automation solutions using CoDeSys, according to 3S Smart Software Solutions.

INTEGER OVERFLOW
An attacker could exploit this vulnerability by sending specially crafted packets to Port 1217/TCP. CVE-2011-5008 is the number assigned to this vulnerability.

STACK OVERFLOW
An attacker could exploit this vulnerability by sending an overly long URL to Port 8080/TCP. CVE-2011-5007 is the number assigned to this vulnerability.

CONTENT-LENGTH NULL POINTER
An attacker could exploit this vulnerability by sending a specially crafted Content-Length header to Port 8080/TCP. CVE-2011-5009 is the number assigned to this vulnerability.

The CoDeSys versions affected include:
• Version 2.3
• Version 3.4

INVALID HTTP REQUEST NULL POINTER
An attacker could exploit this vulnerability by sending a request with an unknown HTTP method to Port 8080/TCP. CVE-2011-5009 is the number assigned to this vulnerability.

FOLDERS CREATION
An attacker could exploit this vulnerability by sending a web request containing a nonexistent directory to Port 8080/TCP. Exploitation of this vulnerability results in the creation of arbitrary directories.

All vulnerabilities are remotely exploitable. An attacker with a low skill level can create the DoS, whereas it would require a more skilled attacker to execute arbitrary code.

3S Smart Software Solutions developed a new version of CoDeSys that resolves these vulnerabilities (V3.5 and V2.3.9.32). Customers can download the new versions for CoDeSys from the 3S Smart Software Solutions customer download site.



Leave a Reply

You must be logged in to post a comment.