Security News > 2022 > November > 3 New Vulnerabilities Affect OT Products from German Companies Festo and CODESYS

3 New Vulnerabilities Affect OT Products from German Companies Festo and CODESYS
2022-11-30 07:21

Researchers have disclosed details of three new security vulnerabilities affecting operational technology products from CODESYS and Festo that could lead to source code tampering and denial-of-service.

The vulnerabilities, reported by Forescout Vedere Labs, are the latest in a long list of flaws collectively tracked under the name OT:ICEFALL. "These issues exemplify either an insecure-by-design approach - which was usual at the time the products were launched - where manufacturers include dangerous functions that can be accessed with no authentication or a subpar implementation of security controls, such as cryptography," the researchers said.

The most critical of the flaws is CVE-2022-3270, a critical vulnerability that affects Festo automation controllers using the Festo Generic Multicast protocol to reboot the devices without requiring any authentication and cause a denial of service condition.

Another DoS shortcoming in Festo controllers relates to a case of unauthenticated, remote access to an undocumented web page that could be exploited by an attacker with network access to Festo CPX-CEC-C1 and CPX-CMXX PLCs. The third issue, on the other hand, concerns the use of weak cryptography in the CODESYS V3 runtime environment to secure download code and boot applications, which could be abused by a bad actor to decrypt and manipulate the source code, thereby undermining confidentiality and integrity protections.

Forescout said it also identified two known CODESYS bugs impacting Festo CPX-CEC-C1 controllers that stem from an unsafe configuration in the Control runtime environment, and could lead to a denial-of-service sans authentication.

"This is yet another example of a supply chain issue where a vulnerability has not been disclosed for all the products it affects," the researchers said.


News URL

http://thehackernews.com/2022/11/3-new-vulnerabilities-affect-ot.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-12-01 CVE-2022-3270 Unspecified vulnerability in Festo products
In multiple products by Festo a remote unauthenticated attacker could use functions of an undocumented protocol which could lead to a complete loss of confidentiality, integrity and availability.
network
low complexity
festo
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Codesys 71 1 35 73 18 127
Festo 102 0 0 2 5 7