Full Report
CODESYS communication servers use insufficiently random values.
Analysis Summary
# Vulnerability: CODESYS V3 Insufficient Entropy in Communication Servers
## CVE Details
- **CVE ID:** CVE-2018-20025
- **CVSS Score:** 8.1 (High) - *Note: While the source text displays a base score of 0.0 in a possible typo, the provided vector string ([CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)) and the "High" impact description indicate a high-severity rating.*
- **CWE:** CWE-330 (Use of Insufficiently Random Values)
## Affected Systems
- **Products:** All CODESYS V3 products containing communication servers for the CODESYS protocol.
- **Versions:** All versions prior to V3.5.14.0.
- **Specific Products include:**
- CODESYS Control (Linux, BeagleBone, emPC-A/iMX6, IOT2000, PFC100, PFC200, Raspberry Pi)
- CODESYS Control RTE V3 (including Beckhoff CX)
- CODESYS Control Win V3
- CODESYS Control V3 Runtime System Toolkit
- CODESYS V3 Safety SIL2
- CODESYS Gateway V3 & HMI V3
- CODESYS V3 Simulation Runtime
- **Configurations:** All CPU types and operating systems are affected if the CODESYS communication protocol is in use.
## Vulnerability Description
The CODESYS communication servers utilize insufficiently random values (low entropy) when generating security-critical parameters. This technical flaw makes the generated values predictable. Specifically, an attacker can determine session and channel identifiers used by the CODESYS protocol.
## Exploitation
- **Status:** Unknown (Proof of Concept existence is listed as "P" / Provisional in the vector string, but the report states "Unknown" for active exploitation).
- **Complexity:** High (Requires the ability to predict/calculate values based on the insufficient randomness).
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Session/channel identifiers can be hijacked).
- **Integrity:** High (Allows unauthorized operations to be performed on behalf of legitimate users).
- **Availability:** High (Potential for unauthorized control actions to disrupt system availability).
## Remediation
### Patches
- **Upgrade to CODESYS V3.5.14.0 or later.** 3S-Smart Software Solutions GmbH released this version in December 2018 specifically to address this flaw.
### Workarounds
- **Network Segmentation:** Use firewalls to isolate the control network from the enterprise network and the internet.
- **Secure Remote Access:** Use VPN tunnels for all remote connections.
- **User Management:** Enable and enforce user management and password protection features within the software.
- **Access Control:** Restrict physical and logical access to the development and control systems.
## Detection
- **Indicators of Compromise:** Monitor for unauthorized or anomalous control commands originating from legitimate user sessions.
- **Detection methods:** Use ICS-aware Deep Packet Inspection (DPI) to monitor CODESYS protocol traffic for session hijacking attempts or unusual connection patterns.
## References
- **Vendor Advisory:** hxxps[://]www[.]codesys[.]com/download
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2018/12/19/klcert-18-037-codesys-control-v3-use-of-insufficiently-random-values/
- **NVD:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2018-20025