OTPulse

OSCAT: Out-of-bounds read in OSCAT Basic library

MonitorCVSS 5.1VDE-2024-046Sep 10, 2024
CODESYSManufacturing
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The MONTH_TO_STRING function in OSCAT Basic library contains an out-of-bounds read vulnerability. When passed negative or invalid month values, the function reads data outside allocated memory bounds, which could expose internal data or crash the PLC. The vulnerability affects OSCAT Basic library versions prior to 3.3.5.0 in oscat.de releases and earlier than 3.3.5 in CODESYS versions. Exploitation requires the ability to influence function parameters in a running PLC program.

What this means
What could happen
An attacker or misconfigured control program could pass invalid input to the MONTH_TO_STRING function in OSCAT Basic, causing the PLC to read data outside of allocated memory, potentially exposing sensitive values or crashing the controller and stopping plant operations.
Who's at risk
Manufacturing plants and utilities using CODESYS-based programmable logic controllers (PLCs) with the OSCAT Basic library for control logic, particularly those relying on the MONTH_TO_STRING function for time/date processing in production or critical process control.
How it could be exploited
An attacker with the ability to influence PLC program logic or parameters (such as a remote access tool, compromised SCADA client, or engineering workstation) could call the MONTH_TO_STRING function with negative or out-of-range month values, triggering an out-of-bounds read on the PLC that leaks internal memory or causes the controller to crash.
Prerequisites
  • OSCAT Basic library imported into PLC program
  • Network or local access to modify PLC program parameters or inject function calls via SCADA/HMI interface
  • PLC running affected version of OSCAT Basic library (<3.3.5.0 for oscat.de version, or <3.3.5 for CODESYS version)
Low complexityNo authentication required to exploit if attacker can modify program parametersCould cause PLC crash and operational downtimeLimited patch availability for CODESYS versions
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (3)
1 with fix2 pending
ProductAffected VersionsFix Status
oscat.de OSCAT Basic Library<3.3.5.03.3.5.0
CODESYS OSCAT Basic Library<335No fix yet
CODESYS OSCAT Basic Library<3.3.5No fix yet
Remediation & Mitigation
0/5
Do now
0/1
WORKAROUNDAdd validation logic in your PLC program to block negative values before passing them to MONTH_TO_STRING function
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate OSCAT Basic library to version 3.3.5.0 in your CODESYS environment
HOTFIXUpdate the Library Manager in your CODESYS project to reference OSCAT Basic version 3.3.5.0
HOTFIXDownload updated PLC application to controllers and rebuild/download boot project to make the fix effective
Long-term hardening
0/1
HARDENINGRestrict network access to PLC engineering/parameter modification interfaces to authorized personnel only
View full CERT@VDE advisory
API: /api/v1/advisories/b40f1ec5-8c45-4603-b522-7f673f693967

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

OSCAT: Out-of-bounds read in OSCAT Basic library | CVSS 5.1 - OTPulse