Microsoft researchers focusing on industrial control system found a significant number of vulnerabilities in CODESYS V3 software development kit which is used in multiple industrial devices such as programmable logic controllers (PLC).
- all versions of CODESYS V3 prior to version 126.96.36.199
All variants of the following CODESYS V3 products in all versions prior V188.8.131.52 containing at least one of the components CmpApp, CmpAppBP, CmpAppForce, CmpFiletransfer or CmpTraceMgr are affected, regardless of the CPU type or operating system:
- CODESYS Control RTE (SL)
- CODESYS Control RTE (for Beckhoff CX) SL
- CODESYS Control Win (SL)
- CODESYS Control Runtime System Toolkit
- CODESYS Safety SIL2 Runtime Toolkit
- CODESYS Safety SIL2 PSP
- CODESYS HMI (SL)
- CODESYS Development System V3
- CODESYS Development System V3, the simulation runtime is also affected
In addition, the following products based on the CODESYS Control V3 Runtime System Toolkit are affected in all versions prior to V184.108.40.206:
- CODESYS Control for BeagleBone SL
- CODESYS Control for emPC-A/iMX6 SL
- CODESYS Control for IOT2000 SL
- CODESYS Control for Linux SL
- CODESYS Control for PFC100 SL
- CODESYS Control for PFC200 SL
- CODESYS Control for PLCnext SL
- CODESYS Control for Raspberry Pi SL
- CODESYS Control for WAGO Touch Panels 600 SL
|Vulnerabiloty||CODESYS Component Impacted|
|CVE-2022-47392||CmpApp/ CmpAppBP/ CmpAppForce|
Patches have been released to address this vulnerability by CODESYS.
- Limit access to industrial control systems with at least network packet filtering to limit network exposure
- Update/Upgrade the software components immediately and generally keep the infrastructure up-to-date
- Review logs and check system integrity
CIRCL (Computer Incident Response Center Luxembourg) sends notifications to ISPs and known contact points when publicly exposed vulnerable devices were discovered. If you would like to directly share your IP resources for notifying the appropriate contact point, please reach out to us.
While industrial systems ideally should remain private, it’s worth noting that there are certain exposed interfaces in Luxembourg.
- [Vendor] - CODESYS Advisory 2023-02
- [Reporter] - Multiple high severity vulnerabilities in CODESYS V3 SDK could lead to RCE or DoS
- [Reporter] - Microsoft ICS Forensics Framework
Classification of this document
TLP:CLEAR information may be distributed without restriction, subject to copyright controls.
- Version 1.0 - TLP:CLEAR - First version - 14th August 2023