Microsoft Discloses Codesys Flaws Allowing Shutdown of Industrial Operations, Spying
HomeHome > Blog > Microsoft Discloses Codesys Flaws Allowing Shutdown of Industrial Operations, Spying

Microsoft Discloses Codesys Flaws Allowing Shutdown of Industrial Operations, Spying

Jun 22, 2023

Over a dozen Codesys vulnerabilities discovered by Microsoft researchers can be exploited to shut down industrial processes or deploy backdoors.

By

Flipboard

Reddit

Pinterest

Whatsapp

Whatsapp

Email

Over a dozen vulnerabilities discovered by Microsoft researchers in Codesys products can be exploited to cause disruption to industrial processes or deploy backdoors that allow the theft of sensitive information.

Germany-based Codesys makes automation software for engineering control systems. Its products are used by some of the world’s largest industrial control system (ICS) manufacturers, the vendor claiming that its software is found in millions of devices — roughly 1,000 different types of products made by over 500 manufacturers.

Microsoft researchers specializing in the security of cyberphysical systems have discovered a total of 16 vulnerabilities in Codesys Control V3 versions prior to 3.5.19.0. The security holes were reported to Codesys in September 2022 and patches were announced in April 2023.

All of the vulnerabilities have been assigned a ‘high severity’ rating. They can be exploited for denial-of-service (DoS) attacks or for remote code execution (RCE).

Threat actors could exploit them to target programmable logic controllers (PLCs) and other ICS devices using Codesys software. Microsoft’s research focused on PLCs made by Schneider Electric and Wago.

While exploitation of the vulnerabilities requires authentication, the researchers showed how hackers could exploit older Codesys flaws, such as CVE-2019-9013, to achieve this.

“While exploiting the discovered vulnerabilities requires deep knowledge of the proprietary protocol of Codesys V3 as well as user authentication (and additional permissions are required for an account to have control of the PLC), a successful attack has the potential to inflict great damage on targets,” Microsoft explained.

It added, “Threat actors could launch a DoS attack against a device using a vulnerable version of Codesys to shut down industrial operations or exploit the RCE vulnerabilities to deploy a backdoor to steal sensitive data, tamper with operations, or force a PLC to operate in a dangerous way.”

Microsoft has published a lengthy blog post describing the vulnerabilities and how they can be exploited. The tech giant has also made available an open source tool designed to help users identify affected devices.

Codesys also has an advisory describing the flaws (direct download link).

The Codesys vulnerabilities were summarized in a session at the Black Hat cybersecurity conference this week by Microsoft researcher Vladimir Tokarev.

Related: Codesys Patches 11 Flaws Likely Affecting Controllers From Several ICS Vendors

Related: Serious Vulnerabilities Found in CODESYS Software Used by Many ICS Products

Related: OT:Icefall Continues With Vulnerabilities in Festo, Codesys Products

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.

Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.(Marie Hattar)

Just as a professional football team needs coordination, strategy and adaptability to secure a win on the field, a well-rounded cybersecurity strategy must address specific challenges and threats.(Matt Wilson)

As the SEC cyber incident disclosure rules come into effect, organizations will be forced to seriously consider giving security leaders a seat at the table.(Marc Solomon)

Working remotely is here to stay and businesses should continue to make sure their basic forms of communication are properly configured and secured.(Matt Honea)

The complexity and challenge of distributed cloud environments often necessitate managing multiple infrastructure, technology, and security stacks, multiple policy engines, multiple sets of controls, and multiple asset inventories.(Joshua Goldfarb)

Flipboard

Reddit

Pinterest

Whatsapp

Whatsapp

Email

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.

Over a dozen vulnerabilities discovered by Microsoft researchers in Codesys products can be exploited to cause disruption to industrial processes or deploy backdoors that allow the theft of sensitive information.Learn More at SecurityWeek’s ICS Cyber Security ConferenceRelatedRelatedRelated