Security News > 2023 > August > Microsoft: Codesys PLC bugs could be exploited to 'shut down power plants'

Microsoft: Codesys PLC bugs could be exploited to 'shut down power plants'
2023-08-11 19:40

Fifteen bugs in Codesys' industrial control systems software could be exploited to shut down power plants or steal information from critical infrastructure environments, experts have claimed.

In a report and more published on GitHub, Microsoft threat intel specialist Vladimir Tokarev says the Windows giant - no stranger to security holes, cough - disclosed details of vulnerabilities in the Codesys V3 SDK to the Germany-based vendor in September 2022.

The firmware in a good deal of PLCs contains library routines from Codesys to run the engineers' programs, and it's this embedded code that is exploitable, resulting in equipment being vulnerable to attack.

While Microsoft's team focused on the firmware in PLCs made by Schneider Electric and Wago, Codesys V3 is available for about 1,000 device types from more than 500 manufacturers, which totals up to "Several million devices" that use Codesys code to implement IEC 61131-3 - the international standard for vendor-neutral industrial equipment programming languages - according to the bug hunters.

We were able to apply 12 of the buffer overflow vulnerabilities to gain RCE of PLCs. Exploiting the vulnerabilities requires user authentication as well as bypassing the Data Execution Prevention and Address Space Layout Randomization used by both the PLCs. To overcome the user authentication, we used a known vulnerability, CVE-2019-9013, which allows us to perform a replay attack against the PLC using the unsecured username and password's hash that were sent during the sign-in process, allowing us to bypass the user authentication process.

As Microsoft warned: "A DoS attack against a device using a vulnerable version of Codesys could enable threat actors to shut down a power plant, while remote code execution could create a backdoor for devices and let attackers tamper with operations, cause a PLC to run in an unusual way, or steal critical information."


News URL

https://go.theregister.com/feed/www.theregister.com/2023/08/11/microsoft_codesys_bugs/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2019-08-15 CVE-2019-9013 Use of a Broken or Risky Cryptographic Algorithm vulnerability in Codesys products
An issue was discovered in 3S-Smart CODESYS V3 products.
low complexity
codesys CWE-327
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Codesys 68 0 13 43 16 72