Chinese cybersecurity firm NSFOCUS spotted 11 critical security flaws in the CoDeSys automation software.
According to an advisory by the security experts, the vulnerabilities could be exploited to gain unauthorized access to company resources or carry out denial-of-service (DoS) attacks.
“These vulnerabilities are simple to exploit, and they can be successfully exploited to cause consequences such as sensitive information leakage, [programmable logic controllers] (PLCs) entering a severe fault state, and arbitrary code execution,” reads the document.
“In combination with industrial scenarios on [the] field, these vulnerabilities could expose industrial production to stagnation, equipment damage, etc.”
NSFOCUS said it first disclosed the flaws to CoDeSys between September 2021 and January 2022. CoDeSys then released a patch last week, described in two separate advisories.
Of the 11 flaws found by NSFOCUS, the advisories released by the company rate two of them as Critical, seven as High and two as Medium in terms of severity.
For context, the two Critical flaws mentioned in the document have a common vulnerability scoring system (CVSS) of 9.8. The first one refers to the cleartext use of passwords used to authenticate before carrying out operations on the PLCs, while the second describes a failure to activate password protection as a default option in the CoDeSys Control runtime system.
Exploiting these two flaws may allow malicious actors to gain control of the target PLC device or download a rogue project to a PLC and then execute arbitrary code.
The other flaws discovered by NSFOCUS may mainly lead to DoS conditions.
While CoDeSys has released patches for all these vulnerabilities, NSFOCUS said many vendors who use CoDeSys V2 runtime have not yet updated their software to the latest version.
“Factories using these affected products are still [at] serious risk,” NSFOCUS wrote.
This is not the first time vulnerabilities have been found in the CoDeSys software. A decade ago, a backdoor was found in the software that granted command shell access to anyone who knew the correct syntax
