Vulnerabilities in CODESYS V3 SDK could lead to OT environments being exploited using RCE, DoS attacks

Researchers at Microsoft’s cyber-physical system team recently identified multiple high-severity vulnerabilities in the CODESYS V3 software development kit (SDK), a software development environment widely used to program and engineer programmable logic controllers (PLCs). Exploitation of these discovered vulnerabilities, which affect all versions of CODESYS V3 prior to version 3.5.19.0, could put operational technology (OT) infrastructure at risk of attacks, such as remote code execution (RCE) and denial of service (DoS).

Identifying that CODESYS V3 versions prior to 3.5.19.0 are vulnerable to the discovered vulnerabilities, the Microsoft researchers said that a security issue was discovered inside the tag decoding mechanism that led to multiple vulnerabilities that could put devices at risk of attacks such as RCE and DoS. “We were able to apply 12 of the buffer overflow vulnerabilities to gain RCE of PLCs. Exploiting the vulnerabilities requires user authentication as well as bypassing the Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) used by both the PLCs,” the post added. 

Furthermore, the Microsoft Threat Intelligence researchers revealed that exploiting the discovered vulnerabilities, however, requires user authentication, as well as deep knowledge of the proprietary protocol of CODESYS V3 and the structure of the different services that the protocol uses. “Microsoft researchers reported the discovery to CODESYS in September 2022 and worked closely with CODESYS to ensure that the vulnerabilities are patched.”

“With CODESYS being used by many vendors, one vulnerability may affect many sectors, device types, and verticals, let alone multiple vulnerabilities. All the vulnerabilities can lead to DoS and 1 RCE,” the researchers identified. “While exploiting the discovered vulnerabilities requires deep knowledge of the proprietary protocol of CODESYS V3 as well as user authentication (and additional permissions are required for an account to have control of the PLC), a successful attack has the potential to inflict great damage on targets.”

Additionally, the post said that hackers could launch a DoS attack against a device using a vulnerable version of CODESYS to shut down industrial operations or exploit the RCE vulnerabilities to deploy a backdoor to steal sensitive data, tamper with operations, or force a PLC to operate in a dangerous way. 

Typically deployed across various industries, CODESYS can be found across factory automation, energy automation, and process automation, among others. The researchers said that CODESYS V3 versions prior to 3.5.19.0 are vulnerable to the discovered vulnerabilities. 

The researchers said that the vulnerabilities were uncovered by Microsoft researchers while examining the security of the CODESYS V3 proprietary protocol “as part of our goal to improve the security standards and create forensic tools for OT devices. During this research, we examined the structure and security of the protocol that is used by many types and vendors of PLCs.  We examined the following two PLCs that use CODESYS V3 from different vendors: Schneider Electric Modicon TM251 and WAGO PFC200,” they added.

The Microsoft post identified that the CODESYS network protocol works over either TCP or UDP – Ports 11740-11743 for TCP and Ports 1740-1743 for UDP.

The CODESYS network protocol consists of four layers: a block driver layer that creates the capability to communicate over a physical or software interface, over TCP or UDP; a datagram layer that enables communication between components and endpoints through physical or virtual interfaces; a channel layer that is responsible for creating, managing, and closing communications channels; and the services layer, which represents a combination of several layers of the ISO/OSI model session layer, presentation layer, and application layer. 

The services layer consists of components, each of which is responsible for a portion of the functionality of the PLC and has services that it supports. Other tasks of the Services layer include encoding/decoding and encrypting/decrypting the data transmitted on that layer. Additionally, the Services layer is also responsible for tracking the client-server session.

The researchers also revealed that there are two types of tags: parent and data. Both tags have identical structures, but different sizes and purposes. Tags can represent any type of data, and the component extracts it. The difference between a parent tag and a data tag is that a parent tag is used for linking several tags into one logical element.

Tags contain several important structures, including ‘BTagReader’ and ‘BTagWriter,’ which include data; current position in data; and size of data.

These structures are allocated for each request and exist only in the request context. Each request handler creates BTagWriter and BTagReader tags and uses them to parse and handle requests. Tag IDs are not unique across services, meaning each service may have its own definition for a tag ID. Tag IDs are handled in the context of each service.

The post added that information on the patch released by CODESYS to address these vulnerabilities can be found online. “We strongly urge CODESYS users to apply these security updates as soon as possible. We also thank CODESYS for their collaboration and recognizing the urgency in addressing these vulnerabilities.”

The researchers recommended first identifying the devices using CODESYS in the network and checking with device manufacturers to determine which version of the CODESYS SDK is used and whether a patch is available. Updating the device firmware to version 3.5.19.0 or above is also recommended. 

Additional general recommendations to protect the network include the application of patches to affected devices, updating the firmware to version 3.5.19.0 or above, disconnecting critical devices, and restricting access to CODESYS devices to authorized components. Furthermore, prioritize patching by ensuring proper segmentation, requiring unique usernames and passwords, and reducing users with writing authentication.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.