Full Report
Neither communication encryption nor user authentication is activated by default, but must be activated by the user.
Analysis Summary
# Vulnerability: CODESYS Control V3 Insecure Default Configuration
## CVE Details
- **CVE ID:** CVE-2018-10612
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-306 (Missing Authentication for Critical Function) / CWE-311 (Missing Encryption)
*Note: While the advisory text mentions a CVSS v3.1 score of 0.0, the provided vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) calculates to a 9.8 Critical rating.*
## Affected Systems
- **Products:** All variants of CODESYS V3 products containing the `CmpSecureChannel` or `CmpUserMgr` components.
- **Versions:** All versions prior to V3.5.14.0.
- **Affected Hardware Examples:**
- CODESYS Control for BeagleBone, Raspberry Pi, Linux, IOT2000.
- CODESYS Control for PFC100/PFC200.
- CODESYS Control RTE V3 (including Beckhoff CX).
- CODESYS Control Win V3 and Simulation Runtime.
- CODESYS HMI V3.
- **Configurations:** Systems where the user has not manually enabled communication encryption or user management policies.
## Vulnerability Description
The affected CODESYS V3 runtime systems ship with communication encryption and user authentication disabled by default. This "insecure by default" state means that any network-based actor can interact with the PLC runtime without providing credentials. Because the administrative and control protocols are exposed in plaintext and lack access control, an attacker can perform unauthorized actions on the controller.
## Exploitation
- **Status:** Unknown (PoC existence not specified in advisory).
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Plaintext communication allows data sniffing).
- **Integrity:** High (Unauthorized modification of logic and parameters).
- **Availability:** High (Potential for unauthorized stop commands or arbitrary code execution).
## Remediation
### Patches
- **Version V3.5.14.0:** Adds configuration prompts and links within the CODESYS Development System to guide users in manually activating security features.
- **Version V3.5.15.0 (Released July 2019):** Activates encryption and user management by default.
### Workarounds
- **Manual Activation:** Users must manually enable "Online User Management" and "Encrypted Communication" within the CODESYS communication settings.
- **Network Segmentation:** Place controllers in a protected environment isolated from the public internet.
- **Firewalling:** Use firewalls to restrict access to the control network.
- **VPN:** Use encrypted tunnels for any required remote access.
## Detection
- **Indicators of Compromise:** Detection of unauthenticated traffic on CODESYS runtime ports (typically TCP 1217 or similar).
- **Detection Methods:**
- Network traffic analysis to identify lack of TLS/encryption on control protocols.
- Auditing PLC configurations to verify if user management is "Disabled" or "Active."
## References
- **Vendor Advisory:** CODESYS Online Help/Security Advisories
- **NVD:** [https://nvd.nist.gov/vuln/detail/CVE-2018-10612](https://nvd.nist.gov/vuln/detail/CVE-2018-10612)
- **Kaspersky ICS CERT:** [https://ics-cert.kaspersky.com/advisories/2018/12/19/klcert-18-035-codesys-control-v3-access-control-inactive-by-default/](https://ics-cert.kaspersky.com/advisories/2018/12/19/klcert-18-035-codesys-control-v3-access-control-inactive-by-default/)