Full Report
CODESYS routing protocol may disguise the source of crafted communication packets.
Analysis Summary
# Vulnerability: CODESYS Control V3 Improper Communication Address Filtering
## CVE Details
- **CVE ID:** CVE-2018-20026
- **CVSS Score:** 9.8 (Critical)
- *Note: The source text displays "0.0" but provides a vector string [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H] which calculates to 9.8.*
- **CWE:** Improper Address Filtering (Related to CWE-20: Improper Input Validation)
## Affected Systems
- **Products:** All CODESYS V3 products containing the **CmpRouter** component.
- **Versions:** All versions prior to **V3.5.14.0**.
- **Configurations:** All CPU types and operating systems are affected. Specific products include:
- CODESYS Control (BeagleBone, emPC-A/iMX6, IOT2000, Linux, PFC100/200, Raspberry Pi, RTE V3, Win V3).
- CODESYS Control V3 Runtime System Toolkit.
- CODESYS V3 Toolkits (Embedded Target Visu, Remote Target Visu).
- CODESYS V3 Safety SIL2.
- CODESYS Gateway V3, HMI V3, and OPC Server V3.
- CODESYS PLCHandler SDK and CODESYS V3 Development System.
## Vulnerability Description
The CODESYS routing protocol contains a flaw in how it processes communication packets. The protocol fails to properly filter or validate communication addresses, allowing an attacker to craft packets that disguise the original source. This effectively permits the spoofing of communication origins within the CODESYS routing layer.
## Exploitation
- **Status:** Unknown (No publicly documented in-the-wild exploitation at time of advisory).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Access to sensitive information).
- **Integrity:** High (Potential to inject or modify commands via disguised source).
- **Availability:** High (Potential for unauthorized control operations).
## Remediation
### Patches
- **Upgrade to CODESYS V3.5.14.0** or newer. This version resolves the improper address filtering for all affected components.
### Workarounds
The vendor has stated there are no direct workarounds for the vulnerability itself. General defensive measures include:
- Deploying controllers in protected, isolated network environments.
- Using firewalls to segment control networks from office/external networks.
- Implementing VPN tunnels for any required remote access.
- Restricting physical and OS-level access to development and control systems.
## Detection
- **Indicators of Compromise:** Unusual packet routing patterns within the CODESYS protocol or unexpected communication from unauthorized internal routing addresses.
- **Detection methods and tools:** Network traffic analysis of the CODESYS protocol for anomalies in the `CmpRouter` component headers.
## References
- **Vendor Advisory:** hxxps[://]customers.codesys[.]com/index.php?eID=dumpFile&t=f&f=12941&token=210287739f40dc5f7823e2a16d559815a519782a&download= (External link reference)
- **NVD:** hxxps[://]nvd.nist[.]gov/vuln/detail/CVE-2018-20026
- **Kaspersky ICS CERT:** hxxps[://]ics-cert.kaspersky[.]com/advisories/2018/12/19/klcert-18-036-codesys-control-v3-improper-communication-address-filtering/