← Back to home
ICSA-19-255-01  ·  Published 2019-09-12  ·  View on CISA ICS-CERT ↗

3S-Smart Software Solutions GmbH CODESYS V3 Web Server

CVSS 10.0 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities may allow an attacker to create a denial-of-service condition, to perform remote code execution, or to access restricted files.

CVEs (2)

Remediations

  • 3S-Smart Software Solutions GmbH has released Versions 3.5.12.80, 3.5.14.10, and 3.5.15.0 to resolve the vulnerabilities for the affected CODESYS products.
  • Please visit the CODESYS update page for more information on how to obtain the software update: https://www.codesys.com/download/
  • Updating to Version 3.5.14.10 or higher is recommended over Version 3.5.12.80, which does not resolve the vulnerabilities for all affected products.
  • Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside.
  • Use firewalls to protect and separate the control system network from other networks.
  • Use VPN (virtual private networks) tunnels if remote access is required.
  • Activate and apply user management and password features.
  • Limit the access to both development and control system by physical means, operating system features, etc.
  • Protect both development and control system by using up-to-date virus detecting solutions. For more information and general recommendations for protecting machines and plants, see also the CODESYS security whitepaper at https://customers.codesys.com/fileadmin/data/customers/security/CODESYS-Security-Whitepaper.pdf

Affected Vendors

3S-Smart Software Solutions GmbH

Affected Products (14)

3S-Smart Software Solutions GmbH · CODESYS Control RTE V3 (for Beckhoff CX) containing the webserver CmpWebServer < 3.5.14.10
3S-Smart Software Solutions GmbH · CODESYS Control for emPC-A/iMX6 containing the webserver CmpWebServer < 3.5.14.10
3S-Smart Software Solutions GmbH · CODESYS Control Win V3 (also part of the CODESYS Development System setup) containing the webserver CmpWebServer < 3.5.14.10
3S-Smart Software Solutions GmbH · CODESYS Control for Linux containing the webserver CmpWebServer < 3.5.14.10
3S-Smart Software Solutions GmbH · CODESYS Control V3 Runtime System Toolkit containing the webserver CmpWebServer < 3.5.14.10
3S-Smart Software Solutions GmbH · CODESYS Control for Raspberry Pi containing the webserver CmpWebServer < 3.5.14.10
3S-Smart Software Solutions GmbH · CODESYS Control for BeagleBone containing the webserver CmpWebServer < 3.5.14.10
3S-Smart Software Solutions GmbH · CODESYS V3 Embedded Target Visu Toolkit containing the webserver CmpWebServer < 3.5.14.10
3S-Smart Software Solutions GmbH · CODESYS Control for PFC100 containing the webserver CmpWebServer < 3.5.14.10
3S-Smart Software Solutions GmbH · CODESYS Control RTE V3 containing the webserver CmpWebServer < 3.5.14.10
3S-Smart Software Solutions GmbH · CODESYS Control for PFC200 containing the webserver CmpWebServer < 3.5.14.10
3S-Smart Software Solutions GmbH · CODESYS V3 Remote Target Visu Toolkit containing the webserver CmpWebServer < 3.5.14.10
3S-Smart Software Solutions GmbH · CODESYS HMI V3 containing the webserver CmpWebServer < 3.5.14.10
3S-Smart Software Solutions GmbH · CODESYS Control for IOT2000 containing the webserver CmpWebServer < 3.5.14.10

Affected Sectors

Critical Manufacturing

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more