Forescout Technologies has disclosed the details of three new vulnerabilities identified by its researchers in operational technology (OT) products from Festo and Codesys.
Identified as part of the OT:Icefall research that led to the public disclosure of 56 vulnerabilities in OT products from multiple vendors, these issues are another exemplification of an insecure-by-design approach common at the time the impacted products were launched.
Codesys is an automation suite used in over 1,000 device models from over 500 manufacturers. Any vulnerability potentially impacts millions of products. Festo’s automation platform is employed in electric and pneumatic systems, mainly in the manufacturing sector.
Two of the newly disclosed vulnerabilities (CVE-2022-3079 and CVE-2022-3270) impact several Festo automation controllers, while the third (CVE-2022-4048) was identified in the Codesys runtime.
“These issues are similar to others we have recently disclosed as part of OT:Icefall. CVE-2022-4048 is an example of weak cryptography, CVE-2022-3079 exemplifies lack of authentication and CVE-2022-3270 falls in the category of insecure engineering protocols,” Forescout notes.
During their investigation, Forescout security researchers also discovered that several Festo products are impacted by known Codesys vulnerabilities, including CVE-2022-31806 and CVE-2022-22515, which were patched roughly six months ago.
These products are “shipped with an unsafe configuration of the Codesys runtime environment. This is yet another example of a supply chain issue where a vulnerability has not been disclosed for all the products it affects,” Forescout says.
CVE-2022-4048, the security firm explains, exists because the Codesys V3 runtime environment, which offers application encryption, does not generate session keys using a secure pseudo-random number generator. Furthermore, the encryption scheme in the runtime uses an insecure mode of operation.
CVE-2022-3079 and CVE-2022-3270, on the other hand, are two security defects that could allow attackers to reboot Festo programmable logic controllers (PLCs), which could create a denial-of-service (DoS) condition.
The first of the bugs exists because there is a hidden, undocumented web page on Festo CPX-CEC-C1 and CPX-CMXX PLCs, which leads to immediate device reboot when accessed. The second issue can be triggered by sending a UDP message to multicast group 239.255.2.3 on port 10002, via the Festo Generic Multicast (FGMC) protocol.
According to Forescout, Festo’s controllers can also be rebooted via the PLC Browser tool, a text-based monitor for controllers running Codesys, because they have not been patched against CVE-2022-31806 and CVE-2022-22515.
“As usual with vulnerabilities on software components (‘supply chain’ vulnerabilities), there was no indication of which devices were affected by it,” Forescout notes.
Both Codesys (direct PDF download) and Festo (advisory 1, advisory 2) have acknowledged these issues and announced patches for them.
Related: ICS Vendors Respond to OT:Icefall Vulnerabilities Impacting Critical Infrastructure
Related: Many Healthcare, OT Systems Exposed to Attacks by NUCLEUS:13 Vulnerabilities
Related: Nearly 100 TCP/IP Stack Vulnerabilities Found During 18-Month Research Project
