3S-Smart Software Solutions GmbH CODESYS V3 Products Containing a CODESYS Communication Server
Plan Patch7.5ICS-CERT ICSA-19-255-05Sep 12, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The CODESYS Communication Server in CODESYS V3 and related products (version prior to 3.5.15.0) contains a vulnerability that allows a remote attacker to crash the communication server by sending a malformed packet (CWE-390 – Incomplete Check or Handling of Exceptional Conditions). This results in a denial-of-service condition, preventing the controller or gateway from responding to legitimate commands until the service is restarted. All CODESYS Control variants (emPC-A/iMX6, RTE V3 for Beckhoff, Raspberry Pi, Win V3, BeagleBone, Linux, PFC200, PFC100, IOT2000), CODESYS HMI V3, CODESYS Gateway V3, CODESYS V3 Safety SIL2, and the V3 Simulation Runtime are affected.
What this means
What could happen
A remote attacker can send malformed packets to the CODESYS Communication Server, causing it to crash and stop responding to legitimate commands. This would halt your automation system or HMI until the controller is manually restarted.
Who's at risk
Manufacturing facilities using CODESYS V3 automation software on any platform (industrial PCs, Beckhoff CX controllers, WAGO PFC controllers, Raspberry Pi, BeagleBone, Linux systems, or as part of the development system). This includes control systems running CODESYS Control, HMI V3, Safety SIL2, and Gateway products.
How it could be exploited
An attacker with network access to a CODESYS controller or gateway (typically port 2455) sends a specially crafted packet that causes the communication server to crash, triggering a denial of service. No authentication is required.
Prerequisites
- Network access to CODESYS Communication Server port (default 2455 or configured port)
- CODESYS product running version prior to 3.5.15.0
- No authentication required to trigger the crash
remotely exploitableno authentication requiredlow complexityaffects automation availability and uptimeno public exploits currently known
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (15)
15 with fix
ProductAffected VersionsFix Status
CODESYS Control for emPC-A/iMX6: all< 3.5.15.03.5.15.0
CODESYS Control RTE V3 (for Beckhoff CX): all< 3.5.15.03.5.15.0
CODESYS Control for Raspberry Pi: all< 3.5.15.03.5.15.0
CODESYS Control Win V3 (part of the CODESYS Development System setup): all< 3.5.15.03.5.15.0
CODESYS Control for BeagleBone: all< 3.5.15.03.5.15.0
CODESYS Control for Linux: all< 3.5.15.03.5.15.0
CODESYS Control for PFC200: all< 3.5.15.03.5.15.0
CODESYS Control for IOT2000: all< 3.5.15.03.5.15.0
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDRestrict network access to CODESYS Communication Server ports (default 2455) using firewalls—only allow connections from authorized engineering workstations and approved control networks
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate all CODESYS products to version 3.5.15.0 or later
HARDENINGEnable user management and password authentication on all CODESYS controllers and development systems
Long-term hardening
0/2HARDENINGImplement network segmentation to isolate CODESYS development and runtime systems from general office networks and the internet
HARDENINGIf remote engineering access is required, use a VPN tunnel rather than exposing the CODESYS Communication Server directly to the network
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/47c91afc-28d0-4bc7-a1fe-a69bfa49bd95