OSCAT: Out-of-bounds read in OSCAT Basic library

Monitor5.1VDE-2024-046Sep 10, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The OSCAT Basic library contains an out-of-bounds read vulnerability in the MONTH_TO_STRING function. This vulnerability may allow limited access to internal data or cause the PLC to crash. The issue affects the library when negative or invalid month values are passed to the MONTH_TO_STRING function.

What this means

What could happen

An attacker or a flawed control program could cause the PLC to crash or leak internal data by passing invalid month values to the MONTH_TO_STRING function, potentially interrupting production or revealing sensitive process information.

Who's at risk

Manufacturing facilities and utilities that use CODESYS-based PLCs with the OSCAT Basic library for automation tasks, particularly those relying on date/time functions (e.g., alarm logging, schedule-based control, reporting). Any automation process that uses MONTH_TO_STRING in its control logic is at risk.

How it could be exploited

An attacker with access to modify the PLC application code, or a poorly-validated external input (e.g., from a network interface or sensor), could pass a negative or out-of-bounds month value to the MONTH_TO_STRING function, triggering the out-of-bounds read. This could crash the PLC or expose internal memory contents.

Prerequisites

Code execution capability on the PLC or ability to influence input values passed to MONTH_TO_STRING
OSCAT Basic library version earlier than 3.3.5.0 deployed on the PLC

Affects widely-used open-source libraryCan crash PLCs, interrupting productionNo patch available for some product variantsLocal attack vector but exploitable through untrusted input

Affected products (3)

1 with fix2 pending

ProductAffected VersionsFix Status

oscat.de OSCAT Basic Library<3.3.5.03.3.5.0

CODESYS OSCAT Basic Library<335No fix yet

CODESYS OSCAT Basic Library<3.3.5No fix yet

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDAdd input validation in your PLC program to reject negative and out-of-bounds month values before passing them to MONTH_TO_STRING (temporary mitigation if patching is delayed)

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate OSCAT Basic library to version 3.3.5.0 and update the library version in your CODESYS project Library Manager

HOTFIXDownload the updated application to the PLC and rebuild/download the boot project to activate the fix

Long-term hardening

0/1

HARDENINGReview any PLC code that uses MONTH_TO_STRING to identify where untrusted or unvalidated inputs could reach the function

CVEs (1)

CVE-2024-6876

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b40f1ec5-8c45-4603-b522-7f673f693967