Security News > 2021 > June > Critical vulnerabilities identified in CODESYS ICS automation software

Critical vulnerabilities identified in CODESYS ICS automation software
2021-06-04 06:55

Researchers have identified 10 vulnerabilities in CODESYS automation software for industrial control systems.

"The vendor rated some of these vulnerabilities as 10 out of 10, or extremely dangerous. Their exploitation can lead to remote command execution on PLC, which may disrupt technological processes and cause industrial accidents and economic losses," said Vladimir Nazarov, Head of ICS Security at Positive Technologies.

"The most notorious example of exploiting similar vulnerabilities is by using Stuxnet. In one such attack, this malware modified a project in PLC, hampering the operation of centrifuges at Iran's nuclear facility in Natanz. Initially, we analyzed the WAGO 750-8207 PLC. After we informed WAGO about the found vulnerabilities, the company passed the information to the people working on CODESYS, the software used as a foundation by 15 manufacturers to build PLC firmware. In addition to WAGO, that includes Beckhoff, Kontron, Moeller, Festo, Mitsubishi, HollySys and several Russian developers. In other words, a lot of controllers are affected by these vulnerabilities," Nazarov concluded.

Other vulnerabilities rated 8.8 were found in the CODESYS Control V2 communication runtime system, which enables embedded PC systems to be a programmable industrial controller.

Finally, vulnerability CVE-2021-30187 discovered in CODESYS Control V2 Linux SysFile library was rated 5.3.

To eliminate the vulnerabilities, companies are advised to follow the recommendations in CODESYS official notices.


News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/ziJHiS9jvc0/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-05-25 CVE-2021-30187 OS Command Injection vulnerability in Codesys Runtime Toolkit 2.4.7.54
CODESYS V2 runtime system SP before 2.4.7.55 has Improper Neutralization of Special Elements used in an OS Command.
local
low complexity
codesys CWE-78
5.3

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Codesys 68 0 13 43 16 72