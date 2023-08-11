Researchers from Microsoft have demonstrated how programmable logic controllers (PLCs) that support the CODESYS runtime can be taken over by exploiting high-severity remote code execution (RCE) vulnerabilities in the popular automation protocol. The flaws were patched earlier this year and impact the CODESYS V3 software development kit (SDK) that is integrated in more than 1,000 device models from more than 500 manufacturers.

“Exploitation of the discovered vulnerabilities, which affect all versions of CODESYS V3 prior to version 3.5.19.0, could put operational technology (OT) infrastructure at risk of attacks, such as remote code execution and denial of service (DoS),” the Microsoft researchers said in a report. “The discovery of these vulnerabilities highlights the critical importance of ensuring the security of industrial control systems and underscores the need for continuous monitoring and protection of these environments.”

Microsoft reported the vulnerabilities to the CODESYS Group, which maintains the popular SDK, in September 2022 and they were patched in updates released in March and April. However, industrial equipment manufacturers that integrate the CODESYS Control Runtime Toolkit into their controllers to allow customers to run and debug applications created with CODESYS will also have to issue updates and the patch development and deployment in the ICS space can be very slow.

15 CODESYS vulnerabilities

The researchers found 12 vulnerabilities that can lead to both remote code execution and DoS in various components of the CODESYS protocol and another three that can result in just denial of service. All except one DoS flaw are rated 8.8 out of 10 on the CVSS severity scale, but a DoS condition can have serious implications when it strikes devices like PLCs that control critical processes in factories, energy plants, and building automation systems.

The CODESYS software suite has multiple components. It provides an integrated development environment (IDE) that runs on engineering workstations and allows users to develop applications according to the IEC 61131-3 standard in multiple programming languages and for multiple CPU architectures used on PLCs. The suite allows users to then upload these applications to PLCs where they get executed by the integrated CODESYS runtime and can also be monitored and debugged. Other add-ons extend the functionality to include visualization, communication with human-machine interfaces (HMIs), advanced motion applications, and more.

The Microsoft researchers set out to investigate the proprietary CODESYS network communications protocol that allows the CODESYS engineering software to communicate with the CODESYS-compatible PLCs. This protocol runs over TCP (ports 11740-11743) or UDP (ports 1740-1743) and is broken down into multiple layers: the block driver layer, the datagram layer, the channel layer, and the services layer.