CODESYS Control V2 communication

Risk Summary

Successful exploitation of these vulnerabilities may cause a heap-based buffer overflow, a stack-based buffer overflow, or a buffer over-read in the affected CODESYS products. This could result in a denial-of-service condition or allow remote code execution.

CVEs (3)

Remediations

• CODESYS GmbH has released the following product versions to solve the noted vulnerability issues for the affected CODESYS products: CODESYS Runtime Toolkit 32-bit full v2.4.7.55, CODESYS PLCWinNT v2.4.7.55. This will also be part of the CODESYS Development System setup v2.3.9.66
• Please visit the CODESYS update area for more information on how to obtain the software updates.
• Use controllers and devices only in a protected environment to minimize network exposure, ensuring they are not accessible from outside.
• Use firewalls to protect and separate the control system network from other networks.
• Use VPN (virtual private network) tunnels if remote access is required.
• Activate and apply user management and password features.
• Use encrypted communication links.
• Limit access to both development and control system by physical means, operating system features, etc.
• Protect both development and control system operations by using up to date virus detecting solutions.
• For more information and general recommendations for protecting machines and plants, see also the CODESYS Security Whitepaper.
• Please see CODESYS Advisory 2021-06 for more information.

Affected Vendors

Affected Products (2)

Affected Sectors

Critical Manufacturing