3S-Smart Software Solutions GmbH CODESYS V3 Library Manager (Update A)

Plan PatchCVSS 8.6ICS-CERT ICSA-19-255-02Sep 12, 2019

CODESYS

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

A vulnerability in CODESYS V3 Library Manager allows malicious content embedded in library files to be displayed or executed when a developer opens the library. The vulnerability affects all 32-bit and 64-bit versions of CODESYS Development System V3 prior to version 3.5.16.0. An attacker with local access to the development workstation could manipulate library files to inject malicious code that executes in the engineering environment. While not remotely exploitable, compromise of the development system could lead to injection of malicious logic into control programs deployed to production systems.

What this means

What could happen

An attacker with local access to a CODESYS development system could inject malicious code into libraries that gets executed when those libraries are displayed or loaded, potentially compromising the integrity of control logic before deployment to production systems.

Who's at risk

Development teams and system integrators who use CODESYS V3 development environment (both 32-bit and 64-bit versions) to program PLCs and industrial controllers. This affects engineering workstations where control logic is created and tested before deployment to production systems.

How it could be exploited

An attacker must have local access to the engineering workstation running CODESYS V3. They manipulate a library file to contain malicious content. When a CODESYS developer loads or views that library through the Library Manager interface, the malicious content is executed in the context of the development environment. The compromised library could then be deployed to controllers.

Prerequisites

Local access to the CODESYS V3 development system
User interaction required—a developer must open or interact with the manipulated library in the Library Manager
CODESYS Development System version prior to 3.5.16.0

Local access required onlyUser interaction requiredLow complexity attackAffects development/engineering systems that feed into productionDefault CODESYS environments may lack access controls

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

All 32 and 64 bit CODESYS Development System V3:< 3.5.16.03.5.16.0

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGEnable antivirus and malware detection on development workstations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CODESYS Development System V3 to version 3.5.16.0 or later

HARDENINGImplement user authentication and password policies on development systems

Long-term hardening

0/2

HARDENINGRestrict local access to development workstations through physical security and operating system access controls

HARDENINGIsolate development network from production networks using firewalls

CVEs (1)

CVE-2019-13538

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b496dd16-4654-4cdc-a9cf-b77cc8d1651c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.