Security News > 2022 > June > Critical Security Flaws Identified in CODESYS ICS Automation Software
CODESYS has released patches to address as many as 11 security flaws that, if successfully exploited, could result in information disclosure and a denial-of-service condition, among others.
CODESYS is a software suite used by automation specialists as a development environment for programmable logic controller applications.
CODESYS Gateway Server prior to version V2.3.9.38.
CODESYS Web server prior to version V1.1.9.23.
Chief among the flaws are CVE-2022-31805 and CVE-2022-31806, which relate to the cleartext use of passwords used to authenticate before carrying out operations on the PLCs and a failure to enable password protection by default in the CODESYS Control runtime system respectively.
In a separate advisory published on June 23, CODESYS said it also remediated three other flaws in CODESYS Gateway Server that could be leveraged to send crafted requests to bypass authentication and crash the server.
News URL
https://thehackernews.com/2022/06/critical-security-flaws-identified-in.html
Related news
- MFA bypass becomes a critical security issue as ransomware tactics advance (source)
- HPE patches three critical security holes in Aruba PAPI (source)
- Two simple give-me-control security bugs found in Optigo network switches used in critical manufacturing (source)
- CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Security Patches (source)
- Top 5 Cloud Security Automations for SecOps Teams (source)
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-06-24 | CVE-2022-31806 | Insecure Default Initialization of Resource vulnerability in Codesys Plcwinnt and Runtime Toolkit In CODESYS V2 PLCWinNT and Runtime Toolkit 32 in versions prior to V2.4.7.57 password protection is not enabled by default and there is no information or prompt to enable password protection at login in case no password is set at the controller. | 6.8 |
| 2022-06-24 | CVE-2022-31805 | Unprotected Transport of Credentials vulnerability in Codesys products In the CODESYS Development System multiple components in multiple versions transmit the passwords for the communication between clients and servers unprotected. | 7.5 |