IT disaster recovery, cloud computing and information security news

Positive Technologies experts have identified 10 vulnerabilities in the CODESYS automation software for industrial control systems. Some are of high and critical severity. CODESYS has fixed the vulnerabilities and released related security advisories.

The most dangerous problems were revealed in the CODESYS V2.3 web server component used by CODESYS WebVisu to display a human-machine interface in a web browser. Multiple vulnerabilities discovered in this component received a CVSS 3.0 score of 10 and identifiers CVE-2021-30189, CVE-2021-30190, CVE-2021-30191, CVE-2021-30192, CVE-2021-30193, and CVE-2021-30194.

Other vulnerabilities rated 8.8 were found in the CODESYS Control V2 communication runtime system, which enables embedded PC systems to be a programmable industrial controller. Identifiers: CVE-2021-30186, CVE-2021-30188, and CVE-2021-30195.

Finally, vulnerability CVE-2021-30187 discovered in CODESYS Control V2 Linux SysFile library was rated 5.3. This vulnerability can be used to call additional PLC functions utilizing the SysFile system library. Attackers can, for example, delete some files and potentially disrupt particular technological processes.

To exploit the vulnerabilities, an attacker does not need a username or password; having network access to the industrial controller is enough. According to the researchers, the main cause of the vulnerabilities is insufficient verification of input data, which may itself be caused by failure to comply with the secure development recommendations.

To eliminate the vulnerabilities, companies are advised to follow the recommendations in CODESYS official notices.

Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.