3S CODESYS Gateway Null Pointer Exception Vulnerability

Monitor7.5ICS-CERT ICSA-15-293-03Jul 23, 2015

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

CODESYS Gateway Server versions 2.3.9.47 and earlier contain a null pointer exception vulnerability in request processing. An attacker can send a specially crafted network packet to the gateway without authentication, causing the service to crash and disrupting all PLC communications relying on that gateway. The vulnerability exists in CWE-476 (null pointer dereference). No patch is planned as this product line is end-of-life. The vendor recommends defensive network measures.

What this means

What could happen

An attacker could send a specially crafted network request to CODESYS Gateway Server and cause it to crash, interrupting communications between engineering workstations and your programmable controllers (PLCs).

Who's at risk

This affects any organization using CODESYS Gateway Server 2.3.9.47 or earlier for remote or networked access to PLC engineering and maintenance. Water utilities, electric utilities, wastewater systems, and industrial manufacturers using CODESYS-based controllers are at risk if the gateway is exposed to untrusted networks.

How it could be exploited

An attacker on the network sends a malformed packet to the CODESYS Gateway Server listening port. The server attempts to process the request without validating a pointer, causing a null pointer exception that crashes the gateway service and disrupts all connected PLC communications.

Prerequisites

Network access to CODESYS Gateway Server port (default 2455)
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackNo patch available (end-of-life product)Service availability impact

Exploitability

Low exploit probability (EPSS 0.8%)

Affected products (1)

ProductAffected VersionsFix Status

CODESYS Gateway Server: <=2.3.9.47≤ 2.3.9.47No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGNetwork segmentation: Restrict access to CODESYS Gateway Server to engineering workstations and isolated networks only; deny inbound access from untrusted networks or the Internet

HARDENINGImplement firewall rules to block access to CODESYS Gateway Server port from any network segment that does not require direct communication

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor CODESYS Gateway Server for unexpected crashes or service restarts as an indicator of exploitation attempts

Mitigations - no patch available

0/1

CODESYS Gateway Server: <=2.3.9.47 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGPlan upgrade path to a maintained CODESYS version or equivalent product with ongoing vendor support, as CODESYS Gateway Server 2.3.9.47 and earlier will not receive patches

CVEs (1)

CVE-2015-6484

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9f4ff9b0-9429-42c7-89bd-e19299c74e8e