Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

OT:Icefall Continues With Vulnerabilities in Festo, Codesys Products

Forescout Technologies has disclosed the details of three new vulnerabilities identified by its researchers in operational technology (OT) products from Festo and Codesys.

Forescout Technologies has disclosed the details of three new vulnerabilities identified by its researchers in operational technology (OT) products from Festo and Codesys.

Identified as part of the OT:Icefall research that led to the public disclosure of 56 vulnerabilities in OT products from multiple vendors, these issues are another exemplification of an insecure-by-design approach common at the time the impacted products were launched.

Codesys is an automation suite used in over 1,000 device models from over 500 manufacturers. Any vulnerability potentially impacts millions of products. Festo’s automation platform is employed in electric and pneumatic systems, mainly in the manufacturing sector.

Two of the newly disclosed vulnerabilities (CVE-2022-3079 and CVE-2022-3270) impact several Festo automation controllers, while the third (CVE-2022-4048) was identified in the Codesys runtime.

“These issues are similar to others we have recently disclosed as part of OT:Icefall. CVE-2022-4048 is an example of weak cryptography, CVE-2022-3079 exemplifies lack of authentication and CVE-2022-3270 falls in the category of insecure engineering protocols,” Forescout notes.

During their investigation, Forescout security researchers also discovered that several Festo products are impacted by known Codesys vulnerabilities, including CVE-2022-31806 and CVE-2022-22515, which were patched roughly six months ago.

These products are “shipped with an unsafe configuration of the Codesys runtime environment. This is yet another example of a supply chain issue where a vulnerability has not been disclosed for all the products it affects,” Forescout says.

CVE-2022-4048, the security firm explains, exists because the Codesys V3 runtime environment, which offers application encryption, does not generate session keys using a secure pseudo-random number generator. Furthermore, the encryption scheme in the runtime uses an insecure mode of operation.

CVE-2022-3079 and CVE-2022-3270, on the other hand, are two security defects that could allow attackers to reboot Festo programmable logic controllers (PLCs), which could create a denial-of-service (DoS) condition.

The first of the bugs exists because there is a hidden, undocumented web page on Festo CPX-CEC-C1 and CPX-CMXX PLCs, which leads to immediate device reboot when accessed. The second issue can be triggered by sending a UDP message to multicast group 239.255.2.3 on port 10002, via the Festo Generic Multicast (FGMC) protocol.

According to Forescout, Festo’s controllers can also be rebooted via the PLC Browser tool, a text-based monitor for controllers running Codesys, because they have not been patched against CVE-2022-31806 and CVE-2022-22515.

“As usual with vulnerabilities on software components (‘supply chain’ vulnerabilities), there was no indication of which devices were affected by it,” Forescout notes.

Both Codesys (direct PDF download) and Festo (advisory 1, advisory 2) have acknowledged these issues and announced patches for them.

Related: ICS Vendors Respond to OT:Icefall Vulnerabilities Impacting Critical Infrastructure

Related: Many Healthcare, OT Systems Exposed to Attacks by NUCLEUS:13 Vulnerabilities

Related: Nearly 100 TCP/IP Stack Vulnerabilities Found During 18-Month Research Project

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.