Festo: Controller CECC-S,LK,D family firmware 2.4.2.0 - multiple vulnerabilities in CODESYS V3 runtime system

Act Now9.8FSA-202203Jul 18, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Festo controller CECC product family (CECC-S, CECC-LK, CECC-D) in firmware version 2.4.2.0 contains multiple vulnerabilities in the CODESYS V3 runtime system. The vulnerabilities include buffer overflow, null pointer dereference, improper input validation, out-of-bounds access, weak random number generation, improper resource handling, and weak cryptography, affecting the runtime environment that executes control logic on these programmable logic controllers.

What this means

What could happen

An attacker with network access to an affected Festo CECC controller could execute arbitrary code, read sensitive data, or crash the device, potentially causing loss of process control and operational interruption in water treatment, electric distribution, or manufacturing environments using these controllers.

Who's at risk

Operators of water treatment plants, electric utilities, and manufacturing facilities using Festo CECC-S, CECC-LK, or CECC-D controllers for critical automation and process control should prioritize mitigation. These controllers manage pressure regulation, flow control, motor drives, and safety interlocks in distributed control systems. Any organization running firmware version 2.4.2.0 on these devices is affected.

How it could be exploited

An attacker can send specially crafted network packets to the CODESYS V3 runtime on the controller to trigger buffer overflow or other memory corruption vulnerabilities, allowing remote code execution without authentication. Once code execution is achieved, the attacker can modify control logic, alter setpoints, or stop the application runtime entirely.

Prerequisites

Network connectivity to the Festo CECC controller on the port used by CODESYS V3 runtime (typically port 11740)
No valid credentials or authentication required

remotely exploitableno authentication requiredlow complexityno patch availablecritical severityaffects safety and control systems

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

Controller CECC-DR07 (07.06.2021) = 2.4.2.0No fix (EOL)

Controller CECC-LKR07 (07.06.2021) = 2.4.2.0No fix (EOL)

Controller CECC-SR07 (07.06.2021) = 2.4.2.0No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGIsolate affected Festo CECC controllers from untrusted networks using network segmentation or firewall rules; restrict inbound access to port 11740 and related CODESYS ports to trusted engineering workstations and automation systems only

HARDENINGImplement network-based intrusion detection or filtering rules to monitor and block suspicious traffic patterns targeting CODESYS V3 runtime ports

WORKAROUNDPlace affected controllers behind a firewall or industrial proxy that inspects and validates CODESYS protocol traffic before it reaches the device

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Controller CECC-D, Controller CECC-LK, Controller CECC-S. Apply the following compensating controls:

HARDENINGPlan migration to next-generation Festo hardware with patched firmware as soon as feasible in your maintenance roadmap, given no fix is planned for current hardware

CVEs (18)

CVE-2019-5105 CVE-2021-29241 CVE-2021-29242 CVE-2022-22519 CVE-2022-22517 CVE-2022-22515 CVE-2022-22514 CVE-2022-22513 CVE-2021-36763 CVE-2021-33485 CVE-2020-12068 CVE-2020-10245 CVE-2020-15806 CVE-2019-9011 CVE-2019-9013 CVE-2020-12067 CVE-2020-12069 CVE-2021-36764

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cdfb24de-3ea4-48f1-bde2-3957f6079534