3S-Smart Software Solutions GmbH CODESYS V3 Products Containing a CODESYS Communication Server

Plan PatchCVSS 9.8ICS-CERT ICSA-19-255-05Sep 12, 2019

CODESYSWAGOBeckhoffPilzManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The CODESYS Communication Server in CODESYS V3 and related products (version prior to 3.5.15.0) contains a vulnerability that allows a remote attacker to crash the communication server by sending a malformed packet (CWE-390 – Incomplete Check or Handling of Exceptional Conditions). This results in a denial-of-service condition, preventing the controller or gateway from responding to legitimate commands until the service is restarted. All CODESYS Control variants (emPC-A/iMX6, RTE V3 for Beckhoff, Raspberry Pi, Win V3, BeagleBone, Linux, PFC200, PFC100, IOT2000), CODESYS HMI V3, CODESYS Gateway V3, CODESYS V3 Safety SIL2, and the V3 Simulation Runtime are affected.

What this means

What could happen

A remote attacker can send malformed packets to the CODESYS Communication Server, causing it to crash and stop responding to legitimate commands. This would halt your automation system or HMI until the controller is manually restarted.

Who's at risk

Manufacturing facilities using CODESYS V3 automation software on any platform (industrial PCs, Beckhoff CX controllers, WAGO PFC controllers, Raspberry Pi, BeagleBone, Linux systems, or as part of the development system). This includes control systems running CODESYS Control, HMI V3, Safety SIL2, and Gateway products.

How it could be exploited

An attacker with network access to a CODESYS controller or gateway (typically port 2455) sends a specially crafted packet that causes the communication server to crash, triggering a denial of service. No authentication is required.

Prerequisites

Network access to CODESYS Communication Server port (default 2455 or configured port)
CODESYS product running version prior to 3.5.15.0
No authentication required to trigger the crash

remotely exploitableno authentication requiredlow complexityaffects automation availability and uptimeno public exploits currently known

Exploitability

Unlikely to be exploited — EPSS score 0.9%

Affected products (16)

16 with fix

ProductAffected VersionsFix Status

PMC programming tool 3.x.x 3.0.0 <= 3.5.153.0.0≤ 3.5.153.5.17

CODESYS Control for emPC-A/iMX6: all< 3.5.15.03.5.15.0

CODESYS Control RTE V3 (for Beckhoff CX): all< 3.5.15.03.5.15.0

CODESYS Control for Raspberry Pi: all< 3.5.15.03.5.15.0

CODESYS Control Win V3 (part of the CODESYS Development System setup): all< 3.5.15.03.5.15.0

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to CODESYS Communication Server ports (default 2455) using firewalls—only allow connections from authorized engineering workstations and approved control networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all CODESYS products to version 3.5.15.0 or later

HARDENINGEnable user management and password authentication on all CODESYS controllers and development systems

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate CODESYS development and runtime systems from general office networks and the internet

HARDENINGIf remote engineering access is required, use a VPN tunnel rather than exposing the CODESYS Communication Server directly to the network

CVEs (27)

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/47c91afc-28d0-4bc7-a1fe-a69bfa49bd95

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.