Risk Summary
Successful exploitation of this vulnerability allows an local, unprivileged attacker to access limited internal data of the PLC, which may lead to a crash of the affected service.
CVEs (1)
Remediations
- CODESYS GmbH recommends users update OSCAT Basic Library to address the security vulnerability:
- Update the OSCAT Basic Library to Version 3.3.5.
- To make the fix effective for existing CODESYS projects, the user also must adjust the version of the OSCAT Basic library to be used in the Library Manager of the CODESYS project to Version 3.3.5.0. Then the user must update the CODESYS application on the PLC by download or online change and rebuild/download the boot application.
- Without an update, the vulnerability can be prevented by validating all values in the PLC program before they are passed to the affected function. In particular, negative values must be blocked as function parameters of MONTH_TO_STRING.
- Regardless of whether the OSCAT Basic library in the programming system was updated or the security vulnerability in the PLC program was mitigated, a download or online change must be performed to update the application on the PLC. CODESYS reminds users to rebuild/download the boot project.
- For more information see the associated CERT@VDE security advisory.
- For a list of system environments the library has been validated against see OSCAT's library documentation.
Affected Vendors
CODESYS GmbH
Affected Products (3)
CODESYS GmbH
·
CODESYS OSCAT Basic Library
3.3.5.0
CODESYS GmbH
·
oscat.de OSCAT Basic Library
<=3.3.5
CODESYS GmbH
·
oscat.de OSCAT Basic Library
<=335
Affected Sectors
Critical Manufacturing, Energy, Water and Wastewater Systems
Get alerted to advisories like this
OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.
Start free trial Learn more