Security Experts:

Web Server Used in 100 ICS Products Affected by Critical Flaw

A critical vulnerability that could allow a remote attacker to execute arbitrary code has been found in a component used by more than 100 industrial control systems (ICS) from tens of vendors.

The flaw affects the web server component of 3S-Smart Software Solutions’ CODESYS WebVisu product, which allows users to view human-machine interfaces (HMIs) for programmable logic controllers (PLCs) in a web browser.

According to the CODESYS website, the WebVisu product is used in 116 PLCs and HMIs from roughly 50 vendors, including Schneider Electric, WAGO, Hitachi, Advantech, Beck IPC, Berghof Automation, Hans Turck, and NEXCOM.

Zhu WenZhe of Istury IOT discovered that the CODESYS web server is affected by a stack-based buffer overflow vulnerability that could allow an attacker to cause a denial-of-service (DoS) condition and possibly even execute arbitrary code on the web server.

“A crafted web server request may cause a buffer overflow and could therefore execute arbitrary code on the web server or lead to a denial-of service condition due to a crash in the web server,” 3S-Smart Software Solutions explained in an advisory.

The vendor says that while there is no evidence that the flaw has been exploited in the wild, even an attacker with low skill may be able to exploit it remotely.

Related: Learn More at SecurityWeek’s ICS Cyber Security Conference

The vulnerability is tracked as CVE-2018-5440 and it has been assigned a CVSS score of 9.8. CODESYS v2.3 web servers running on any version of Windows (including Windows Embedded Compact) as stand-alone or part of the CODESYS runtime system prior to version 1.1.9.19 are affected. Version 1.1.9.19, which is also part of the CODESYS 2.3.9.56 setup, patches the vulnerability.

While 3S-Smart Software Solutions says it has not identified any workarounds for this security hole, the company has advised organizations to ensure that access to controllers is restricted through minimization of network exposure, and the use of firewalls and VPNs. The company has also published a white paper with general recommendations on security in industrial control applications.

Vulnerabilities in CODESYS components are not uncommon. Last April, industrial cybersecurity startup CyberX uncovered several critical flaws in the CODESYS web server. More recently, SEC Consult reported that a CODESYS component flaw exposed PLCs from WAGO and possibly other vendors to attacks.

Shodan has been crawling port 2455, which is specific to the CODESYS protocol, since 2014. The search engine currently shows more than 5,600 systems reachable via this port, with a majority in the United States, Germany, Turkey, China and France.

Shodan map shows CODESYS devices

Related: Increasing Number of Industrial Systems Accessible From Web

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.