CODESYS Control V2 communication

Act Now9.8ICS-CERT ICSA-21-173-03Jun 22, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Buffer overflow vulnerabilities in CODESYS Runtime Toolkit 32-bit full and PLCWinNT (versions prior to 2.4.7.55) allow remote code execution or denial of service. Malformed network messages can trigger heap-based buffer overflow, stack-based buffer overflow, or buffer over-read conditions in the affected products, potentially allowing an attacker to execute arbitrary commands on the PLC or crash the runtime and stop process control.

What this means

What could happen

An attacker with network access could trigger a buffer overflow in the CODESYS runtime, causing the PLC to crash and halt process control, or potentially execute arbitrary code to alter setpoints, disable safety functions, or manipulate equipment operation.

Who's at risk

Manufacturing facilities using CODESYS Control V2 runtime environments should prioritize this: the vulnerability affects CODESYS Runtime Toolkit 32-bit full and PLCWinNT versions used in industrial automation systems to control PLCs and machinery. Any facility relying on CODESYS-based controllers for process automation, packaging lines, or production control is at risk if their systems are networked or accessible remotely.

How it could be exploited

An attacker sends a specially crafted network message to the CODESYS runtime service (typically listening on the local network). The malformed data triggers a heap or stack buffer overflow in the message parsing code, either crashing the process (denial of service) or allowing code execution with the privileges of the runtime service.

Prerequisites

Network access to the CODESYS Runtime or PLCWinNT service port (typically port 11740 for CODESYS v2)
No authentication required to send malicious packets
CODESYS Runtime or PLCWinNT service must be running and exposed to network

Remotely exploitable over networkNo authentication requiredLow attack complexityHigh CVSS score (9.8)Affects legacy systems (CODESYS V2)Can cause denial of service or enable code executionAffects control system runtime

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

CODESYS Runtime Toolkit 32-bit full: prior to v2.4.7.55< 2.4.7.552.4.7.55

CODESYS PLCWinNT: prior to v2.4.7.55< 2.4.7.552.4.7.55

Remediation & Mitigation

0/7

Do now

0/1

WORKAROUNDImplement firewall rules to block unauthorized network access to CODESYS Runtime ports from outside the control system network

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CODESYS Runtime Toolkit 32-bit full to version 2.4.7.55 or later

HOTFIXUpdate CODESYS PLCWinNT to version 2.4.7.55 or later (or update CODESYS Development System setup to v2.3.9.66 or later)

Long-term hardening

0/4

HARDENINGIsolate CODESYS-based systems on a protected control network segment separate from office networks and the internet

HARDENINGDisable remote access to CODESYS systems unless required; if remote access is needed, route all connections through a VPN with strong authentication

HARDENINGEnable CODESYS user management and password protection features

HARDENINGUse encrypted communication links for CODESYS operations

CVEs (3)

CVE-2021-30186 CVE-2021-30188 CVE-2021-30195

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/222bd98e-86e0-4633-ba17-6944b60d4147