CVE-2021-34593: CODESYS V2 Remote Denial of Service Vulnerability

Key Information Vulnerability Title: CODESYS V2 Denial of Service Affected Products: CODESYS Runtime Toolkit 32-bit, CODESYS PLCWinNT Vulnerable Versions: <V2.4.7.56 Fixed Version: V2.4.7.56 CVE ID: CVE-2021-34593 Impact Level: High Discovery Date: 2021-05-05 Discovering Team: SEC Consult Vulnerability Lab Collaborative Research: "OT Cyber Security Lab" between Verbund AG and SEC Consult Group Key Individuals: Gerhard Hechenberger (Office Vienna), Steffen Robertz (Office Vienna) CODESYS Description: Leading independent supplier of IEC 61131-3 automation software for engineering control systems Business Recommendation: Vendors using affected software should immediately provide new firmware versions; users should update devices to the patched firmware version Vulnerability Description: Sending requests with invalid packet sizes to a pre-configured port can trigger a memory allocation error, causing a denial of service for remote connectivity to the CODESYS service, preventing clients from connecting to the affected PLC Remediation Plan: CODESYS released a dedicated security advisory corresponding to this recommendation and will publish detailed proof-of-concept after affected product vendors have time to provide updated firmware versions Tested/Affected Version: 2.4.7.0 Vendor Communication Timeline: - 2021-05-25: Contacted third-party vendors using CODESYS runtime - 2021-08-11: Vendor confirmed the issue was fixed in recent CODESYS versions - 2021-08-18: Checked the latest public firmware version of the product; vulnerability still present; notified vendor again - 2021-09-01: Vendor confirmed and committed to investigating the issue in collaboration with CODESYS - 2021-10-15: CODESYS notified of assigned CVE-2021-34593 and planned release date - 2021-10-28: Coordinated disclosure Solution: Immediately update to the patched version of CODESYS Temporary Mitigation: Restrict access to the CODESYS service port on affected devices as much as possible. Long-term, install updated product firmware that includes the patched CODESYS service Announcement URL: SEC Consult Vulnerability Lab

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2021-34593: CODESYS V2 Remote Denial of Service Vulnerability

More from this source