Full Report
This article continues the discussion of research on popular OEM technologies that are implemented in the products of a large number of vendors. Vulnerabilities in such technologies are highly likely to affect the security of many, if not all, products that use them. In some cases, this means hundreds of products that are used in industrial environments and in critical infrastructure facilities. This is the case with CODESYS Runtime, a framework by CODESYS designed for developing and executing industrial control system software.
Analysis Summary
Based on the research provided regarding the CODESYS Runtime framework, here is the summary of the vulnerability findings.
# Vulnerability: Multiple Flaws in CODESYS Gateway and Runtime Services
## CVE Details
*Note: This research covers a cluster of vulnerabilities identified by Kaspersky ICS CERT. The primary focal point for the communication protocol flaws includes:*
- **CVE ID:** CVE-2018-20031, CVE-2018-20032, CVE-2018-20033
- **CVSS Score:** 7.5 to 10.0 (Critical)
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-20 (Improper Input Validation)
## Affected Systems
- **Products:** All PLC devices and industrial controllers utilizing the CODESYS Runtime Environment (v2.x and v3.x).
- **Versions:** CODESYS Runtime Toolkit (prior to V2.4.7.52), CODESYS Control V3 (prior to V3.5.13.30), and CODESYS Gateway (prior to V3.5.13.30).
- **Configurations:** Systems where the CODESYS communication port (typically TCP 1217 or UDP 1210/1211) is accessible over the network.
## Vulnerability Description
The vulnerabilities stem from flaws in the proprietary CODESYS communication protocol used for engineering and data exchange.
1. **Buffer Overflows:** Inadequate validation of data packet sizes during the encapsulation of specialized communication layers allows for heap or stack-based overflows.
2. **Logic Errors:** The protocol's handling of specific command headers allows an attacker to bypass authentication mechanisms or cause a Denial of Service (DoS) by sending malformed packets that exhaust system resources.
3. **Pointer Manipulation:** Lack of checks on memory addresses during data read/write operations allows unauthorized access to the PLC’s memory space.
## Exploitation
- **Status:** PoC developed during research; no widespread exploitation in the wild at the time of publication, though the high number of affected OEM vendors increases the attack surface.
- **Complexity:** Medium (Requires knowledge of the proprietary CODESYS protocol).
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Ability to read sensitive process data and memory).
- **Integrity:** High (Ability to modify PLC logic or force output states).
- **Availability:** High (Potential to crash the PLC runtime, halting industrial processes).
## Remediation
### Patches
- **CODESYS Runtime V3:** Update to version 3.5.13.30 or higher.
- **CODESYS Runtime V2:** Update to version 2.4.7.52 or higher.
- **Note:** Users must contact their specific PLC hardware manufacturer (OEM) to receive the integrated firmware update.
### Workarounds
- **Network Segmentation:** Place PLCs in protected VLANs isolated from the corporate network and the internet.
- **Firewall Filtering:** Restrict access to TCP port 1217 and UDP ports 1210/1211 to authorized Engineering Stations only.
- **Encryption:** Use CODESYS "Security User Management" features and encrypted communication channels where supported.
## Detection
- **Indicators of Compromise:** Unusual traffic spikes on port 1217; repeated PLC restarts; unauthorized "Login" commands recorded in PLC logs.
- **Detection Methods:** Deep Packet Inspection (DPI) using ICS-aware firewalls or IDS signatures that can identify malformed CODESYS protocol headers or "Stop" commands originating from unauthorized IPs.
## References
- CODESYS Advisory: hxxps[://]customers.codesys[.]com/index.php?eID=dumpFile&t=f&f=12941&token=07998b3dc8
- Kaspersky ICS CERT: hxxps[://]ics-cert.kaspersky[.]com/publications/reports/2019/09/18/security-research-codesys-runtime-a-plc-control-framework-part-1/
- ICS-CERT Advisory (ICSA-18-352-02): hxxps[://]www.cisa[.]gov/news-events/ics-advisories/icsa-18-352-02