A DoS attack against a device using a vulnerable version of Codesys could allow the attackers to shut down plants, while remote code execution could create a backdoor allowing attackers to tamper with operations, causing PLCs to run in unusual ways, or to steal critical information.
Microsoft researchers reported their discovery of 15 vulnerabilities to the German-based Codesys organisation in September 2022 and worked closely with Codesys to help develop patches that Codesys released earlier this year. In a blog on its discovery, Microsoft “strongly” urges Codesys users to apply these updates as soon as possible.
It points out, however, that to exploit the vulnerabilities would require user authentication, as well as a deep knowledge of the Codesys V3 protocol and the structure of the services that the protocol uses.
Codesys is a vendor- and platform-independent development environment that helps automation device manufacturers to implement the IEC 61131-3 programming standard. It can be used to create both hardware- and software-based controllers.
For their research, the Microsoft analysts examined the structure and security of the Codesys protocol, focusing in particular on Schneider Electric’s Modicon TM251 and Wago’s PFC200 PLCs – both of which are Codesys-based.
As part of its research into Codesys vulnerabilities, Microsoft examined PLCs from Wago (left) and Schneider Electric
Other automation suppliers that use Codesys include ABB, Advantech, Bosch Rexroth, Delta Electronics, Eaton, Festo, Hitachi, ifm, Inovance, KEB, Lenze, NUM, Opto 22, Parker Hannifin, WEG and Weidmuller. There are reckoned to be more than 200,000 Codesys end-users worldwide, with several million Codesys devices in service.
Codesys has issued an advisory about the patches.
Microsoft Security: Twitter LinkedIn
Codesys: LinkedIn
