CODESYS: Development System V2.3 affected by two vulnerabilities through corrupted project files

Plan Patch7.8VDE-2024-024May 6, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

CODESYS Development System V2.3 contains buffer overflow and use-after-free vulnerabilities (CWE-787, CWE-416) that can be triggered when opening corrupted project files. Affected versions prior to 2.3.9.73 may crash or execute arbitrary code during project file parsing. CODESYS V2.3 is currently in service phase. Mitigations include updating to version 2.3.9.73, which validates project file integrity and prevents loading of corrupt files, and using password encryption on project files.

What this means

What could happen

An attacker with local access to a development workstation can crash the CODESYS development environment or execute arbitrary code by distributing a malicious project file, which could allow unauthorized modification or theft of automation control logic.

Who's at risk

Manufacturing facilities and automation integrators who use CODESYS Development System V2.3 on engineering workstations to develop and modify PLC control programs. This includes facilities in discrete manufacturing, process industries, and utilities that rely on programmable logic controllers for operational control.

How it could be exploited

An attacker creates a corrupted or malicious CODESYS project file and sends it to an engineer. When the engineer opens the file in CODESYS Development System V2.3, the application crashes or executes the attacker's code. This could allow the attacker to modify automation logic, insert backdoors, or steal intellectual property (PLC program code).

Prerequisites

Local user account on the development workstation
User opens a malicious project file in CODESYS Development System V2.3 (version earlier than 2.3.9.73)
User has not updated to version 2.3.9.73 or later

Requires local access to workstationRequires user interaction (opening malicious file)Can lead to code execution on development environmentCould enable theft or modification of industrial control logic

Affected products (1)

ProductAffected VersionsFix Status

CODESYS Development System V2.3<2.3.9.732.3.9.73

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDEnable password encryption on all CODESYS project files to prevent tampering

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CODESYS Development System V2.3 to version 2.3.9.73 or later

Long-term hardening

0/2

HARDENINGEstablish a policy to only open project files from trusted internal sources and verified team members

HARDENINGConsider upgrading from CODESYS V2.3 to CODESYS V3, as V2.3 is in service phase and will eventually reach end-of-life

CVEs (2)

CVE-2023-49675 CVE-2023-49676

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/32629429-6dc8-4e60-b1b6-d35f0eaab9c9