Security News > 2021 > June > Critical vulnerabilities identified in CODESYS ICS automation software
Researchers have identified 10 vulnerabilities in CODESYS automation software for industrial control systems.
"The vendor rated some of these vulnerabilities as 10 out of 10, or extremely dangerous. Their exploitation can lead to remote command execution on PLC, which may disrupt technological processes and cause industrial accidents and economic losses," said Vladimir Nazarov, Head of ICS Security at Positive Technologies.
"The most notorious example of exploiting similar vulnerabilities is by using Stuxnet. In one such attack, this malware modified a project in PLC, hampering the operation of centrifuges at Iran's nuclear facility in Natanz. Initially, we analyzed the WAGO 750-8207 PLC. After we informed WAGO about the found vulnerabilities, the company passed the information to the people working on CODESYS, the software used as a foundation by 15 manufacturers to build PLC firmware. In addition to WAGO, that includes Beckhoff, Kontron, Moeller, Festo, Mitsubishi, HollySys and several Russian developers. In other words, a lot of controllers are affected by these vulnerabilities," Nazarov concluded.
Other vulnerabilities rated 8.8 were found in the CODESYS Control V2 communication runtime system, which enables embedded PC systems to be a programmable industrial controller.
Finally, vulnerability CVE-2021-30187 discovered in CODESYS Control V2 Linux SysFile library was rated 5.3.
To eliminate the vulnerabilities, companies are advised to follow the recommendations in CODESYS official notices.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/ziJHiS9jvc0/
Related news
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)
- Critical vulnerabilities persist in high-risk sectors (source)
- Ivanti Issues Critical Security Updates for CSA and Connect Secure Vulnerabilities (source)
- CISA Adds Critical Flaw in BeyondTrust Software to Exploited Vulnerabilities List (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-05-25 | CVE-2021-30187 | OS Command Injection vulnerability in Codesys Runtime Toolkit 2.4.7.54 CODESYS V2 runtime system SP before 2.4.7.55 has Improper Neutralization of Special Elements used in an OS Command. | 5.3 |