Full Report
Kaspersky Lab presented its latest findings on CoDeSys Runtime vulnerabilities at the S4x19 conference, in what was a successful debut among competing industrial cybersecurity vendors
Analysis Summary
Based on the findings presented by Kaspersky Lab at S4x19 regarding CoDeSys Runtime vulnerabilities, here is the technical summary:
# Vulnerability: CODESYS Runtime System Multiple High-Severity Flaws
## CVE Details
- **CVE ID:** CVE-2018-20031, CVE-2018-20032, CVE-2018-20033, CVE-2018-20034
- **CVSS Score:** 7.5 to 10.0 (Critical/High)
- **CWE:** CWE-121 (Stack-based Buffer Overflow), CWE-119 (Memory Corruption)
## Affected Systems
- **Products:** CODESYS Runtime System (used in hundreds of PLC models across different vendors).
- **Versions:** CODESYS V2.x and V3.x Control Runtime (specific versions prior to those released in late 2018/early 2019).
- **Configurations:** Systems utilizing the web server component or the gateway communication protocol for PLC programming and monitoring.
## Vulnerability Description
Kaspersky’s research focused on flaws within the communication protocols and the web-based management interfaces of the CODESYS runtime. The vulnerabilities allow for unauthorized memory access. Specifically, the researchers identified buffer overflows in the way the runtime handles specially crafted communication packets. If a malicious packet is sent to the PLC's control port, it can trigger a crash or allow for the execution of arbitrary code under the context of the runtime system.
## Exploitation
- **Status:** PoC demonstrated at S4x19; no widespread exploitation in the wild at time of publication.
- **Complexity:** Medium (requires knowledge of CODESYS-specific protocols).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Potential to read memory and sensitive logic).
- **Integrity:** High (Potential to overwrite PLC logic or firmware).
- **Availability:** High (Critical; can lead to total loss of control or Permanent Denial of Service/Bricking).
## Remediation
### Patches
- **CODESYS V3:** Update to Runtime System V3.5 SP14 or higher.
- **CODESYS V2:** Specific security updates were issued; users must contact their PLC hardware OEM as CODESYS V2 is often integrated deep into vendor-specific firmware.
### Workarounds
- **Network Segmentation:** Place PLCs behind industrial firewalls and isolate the control network from the business LAN.
- **Disable Web Server:** If the CODESYS WebVisu or web-based management is not required, disable the service.
- **Access Control:** Implement IP-based Access Control Lists (ACLs) to ensure only authorized workstations can communicate with the PLC ports (e.g., TCP 1217, 2455).
## Detection
- **IOCs:** Unusual traffic on TCP ports 1217 (V3) or 1200/2455 (V2).
- **Detection Methods:**
- Use Industrial IDS (Intrusion Detection Systems) to monitor for malformed CODESYS protocol headers.
- Monitor for frequent PLC restarts or service crashes (Crash-looping).
## References
- **Vendor Advisory:** hxxps[://]www[.]codesys[.]com/security/advisories.html
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/reports/2019/01/31/kaspersky-lab-at-s4x19/
- **S4x19 Presentation Reference:** hxxps[://]s4xevents[.]com/s4x19-archive/