Industrial Programmable Logic Controllers (PLCs) across the globe are at risk due to 15 vulnerabilities found in the CODESYS V3 software development kit. These vulnerabilities could potentially allow for remote code execution (RCE) and denial of service (DoS) attacks. Over 500 manufacturers worldwide use the CODESYS V3 SDK for programming in over 1,000 PLC models, adhering to the IEC 61131-3 standard. This software allows users to create custom automation sequences and provides a Windows management interface and a simulator for testing PLC configurations and programming before deployment.
Microsoft researchers discovered these vulnerabilities in the CODESYS V3 SDK and reported them to CODESYS in September 2022. In response, the vendor released security updates in April 2023. However, due to the nature of these devices, they are not frequently updated to address security issues. As a result, Microsoft's security team has published a detailed post to raise awareness about the risks and to encourage faster patching.
In their investigation, Microsoft examined two PLCs from Schnieder Electric and WAGO that utilize CODESYS V3. They discovered 15 high-severity vulnerabilities (CVSS v3: 7.5 – 8.8), including CVE-2022-47378, CVE-2022-47379, CVE-2022-47380, CVE-2022-47381, CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47385, CVE-2022-47386, CVE-2022-47387, CVE 2022-47388, CVE-2022-47389, CVE-2022-47390, CVE-2022-47392, and CVE-2022-47393.
The primary issue lies in the tag decoding mechanism of the SDK. Specifically, tags are copied into the device buffer without verifying their size, which provides attackers with a buffer overflow opportunity. These tags carry data or data structures that are crucial for the PLC's function. This buffer overflow issue is not isolated, as Microsoft found it in 15 CODESYS V3 SDK components.
While exploitation of these flaws requires authentication, Microsoft indicates that this requirement can be bypassed using CVE-2019-9013, another flaw affecting CODESYS V3 that exposes user credentials during transport in cleartext form. In 12 out of the 15 cases, Microsoft's analysts were able to leverage the flaw to gain remote code execution on the PLC.
CODESYS's security advisory lists several products as impacted if they run versions before 22.214.171.124, regardless of the hardware and OS configuration. Additional products are affected on versions prior to 126.96.36.199. Administrators are urged to upgrade to CODESYS V3 v188.8.131.52 as soon as possible, and Microsoft also recommends disconnecting PLCs and other critical industrial devices from the internet.