Positive Technologies uncovers serious threats to industrial control systems worldwide

Published: Wednesday, 09 June 2021 07:25

Positive Technologies experts have identified 10 vulnerabilities in the CODESYS automation software for industrial control systems. Some are of high and critical severity. CODESYS has fixed the vulnerabilities and released related security advisories.

The most dangerous problems were revealed in the CODESYS V2.3 web server component used by CODESYS WebVisu to display a human-machine interface in a web browser. Multiple vulnerabilities discovered in this component received a CVSS 3.0 score of 10 and identifiers CVE-2021-30189, CVE-2021-30190, CVE-2021-30191, CVE-2021-30192, CVE-2021-30193, and CVE-2021-30194.

Other vulnerabilities rated 8.8 were found in the CODESYS Control V2 communication runtime system, which enables embedded PC systems to be a programmable industrial controller. Identifiers: CVE-2021-30186, CVE-2021-30188, and CVE-2021-30195.

Finally, vulnerability CVE-2021-30187 discovered in CODESYS Control V2 Linux SysFile library was rated 5.3. This vulnerability can be used to call additional PLC functions utilizing the SysFile system library. Attackers can, for example, delete some files and potentially disrupt particular technological processes.

To exploit the vulnerabilities, an attacker does not need a username or password; having network access to the industrial controller is enough. According to the researchers, the main cause of the vulnerabilities is insufficient verification of input data, which may itself be caused by failure to comply with the secure development recommendations.

To eliminate the vulnerabilities, companies are advised to follow the recommendations in CODESYS official notices.