Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Web Server Used in 100 ICS Products Affected by Critical Flaw

A critical vulnerability that could allow a remote attacker to execute arbitrary code has been found in a component used by more than 100 industrial control systems (ICS) from tens of vendors.

A critical vulnerability that could allow a remote attacker to execute arbitrary code has been found in a component used by more than 100 industrial control systems (ICS) from tens of vendors.

The flaw affects the web server component of 3S-Smart Software Solutions’ CODESYS WebVisu product, which allows users to view human-machine interfaces (HMIs) for programmable logic controllers (PLCs) in a web browser.

According to the CODESYS website, the WebVisu product is used in 116 PLCs and HMIs from roughly 50 vendors, including Schneider Electric, WAGO, Hitachi, Advantech, Beck IPC, Berghof Automation, Hans Turck, and NEXCOM.

Zhu WenZhe of Istury IOT discovered that the CODESYS web server is affected by a stack-based buffer overflow vulnerability that could allow an attacker to cause a denial-of-service (DoS) condition and possibly even execute arbitrary code on the web server.

“A crafted web server request may cause a buffer overflow and could therefore execute arbitrary code on the web server or lead to a denial-of service condition due to a crash in the web server,” 3S-Smart Software Solutions explained in an advisory.

The vendor says that while there is no evidence that the flaw has been exploited in the wild, even an attacker with low skill may be able to exploit it remotely.

Related: Learn More at SecurityWeek’s ICS Cyber Security Conference

The vulnerability is tracked as CVE-2018-5440 and it has been assigned a CVSS score of 9.8. CODESYS v2.3 web servers running on any version of Windows (including Windows Embedded Compact) as stand-alone or part of the CODESYS runtime system prior to version 1.1.9.19 are affected. Version 1.1.9.19, which is also part of the CODESYS 2.3.9.56 setup, patches the vulnerability.

Advertisement. Scroll to continue reading.

While 3S-Smart Software Solutions says it has not identified any workarounds for this security hole, the company has advised organizations to ensure that access to controllers is restricted through minimization of network exposure, and the use of firewalls and VPNs. The company has also published a white paper with general recommendations on security in industrial control applications.

Vulnerabilities in CODESYS components are not uncommon. Last April, industrial cybersecurity startup CyberX uncovered several critical flaws in the CODESYS web server. More recently, SEC Consult reported that a CODESYS component flaw exposed PLCs from WAGO and possibly other vendors to attacks.

Shodan has been crawling port 2455, which is specific to the CODESYS protocol, since 2014. The search engine currently shows more than 5,600 systems reachable via this port, with a majority in the United States, Germany, Turkey, China and France.

Shodan map shows CODESYS devices

Related: Increasing Number of Industrial Systems Accessible From Web

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.