SD1659 | LP30/40/50 and BM40 Operator Interface Vulnerable to CODESYS Vulnerabilities

Published Date: January 25, 2024

Last updated: January 25, 2024

Revision Number: 1.0

CVSS Score: 8.8

AFFECTED PRODUCTS AND SOLUTION

VULNERABILITY DETAILS

The CODESYS Control runtime system is utilized in the affected ASEM™ (A Rockwell Automation Company) products and enables embedded or PC-based devices to be programmable industrial controllers. Such products contain communication servers for the CODESYS protocol to enable communication with clients like the CODESYS Development System.

These products have the following vulnerabilities:

CVE-2022-47378 IMPACT

CVSS Base Score: 6.5/10 (Medium)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-1288: Improper Validation of Consistency within Input

After successful authentication, specifically crafted communication requests with inconsistent content can cause the CmpFiletransfer component to read internally from an invalid address, potentially leading to a denial-of-service condition.

CVE-2022-47379 IMPACT

CVSS Base Score: 8.8/10 (High)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-787: Out-of-bounds Write

After successful authentication, specifically crafted communication requests can cause the CmpApp component to write threat actor-controlled data to memory, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

CVE-2022-47380, CVE-2022-47381 IMPACT

CVSS Base Score: 8.8/10 (High)

CWE-121: Stack-based Buffer Overflow

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

After successful authentication, specifically crafted communication requests can cause the CmpApp component to write threat actor-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47386, CVE-2022-47387, CVE-2022-47388, CVE-2022-47389, CVE-2022-47390 IMPACT

CVSS Base Score: 8.8/10 (High)

CWE-121: Stack-based Buffer Overflow

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

After successful authentication, specifically crafted communication requests can cause the CmpTraceMgr

component to write threat actor-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

CVE-2022-47385 IMPACT

CVSS Base Score: 8.8/10 (High)

CWE-121: Stack-based Buffer Overflow

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

After successful authentication, specifically crafted communication requests can cause the CmpAppForce

component to write threat actor-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

CVE-2022-47392 IMPACT

CVSS Base Score: 6.5/10 (Medium)

CWE-1288: Improper Validation of Consistency within Input

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

After successful authentication, specifically crafted communication requests with inconsistent content can cause the CmpApp/CmpAppBP/CmpAppForce components to read internally from an invalid address, potentially leading to a denial-of-service condition.

CVE-2022-47393 IMPACT

CVSS Base Score: 6.5/10 (Medium)

CWE-822: Untrusted Pointer Dereference

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

After successful authentication, specifically crafted communication requests can cause the cmpFiletransfer component to dereference addresses provided by the request for internal read access, which can lead to a denial-of-service situation.

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·       Upgrade to CODESYS version 3.5.19.2 which has been released to mitigate these issues.

·       Additionally, we encourage the customer to implement our suggested security best practices to minimize risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

CODESYS Advisory