Four Advisories Published - 6-22-21
Today CISA’s NCCIC-ICS published four control system security advisories for products from CODESYS (3) and Advantech.
Linux SysFile Advisory
This advisory describes an OS command injection vulnerability in the CODESYS V2 Runtime Toolkit. The vulnerability was reported by Sergey Fedonin and Ivan Kurnak, of Positive Technologies. CODESYS has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow the control programmer to call additional OS functions from the PLC logic utilizing the SysFile system library.
NOTE: I briefly discussed this vulnerability back in early May, 2021.
Control V2 Advisory
This advisory describes three vulnerabilities in the CODESYS CODESYS V2 Runtime Toolkit and CODESYS PLCWinNT products. The vulnerabilities were reported by Sergey Fedonin, Denis Goryushev, and Anton Dorfman of Positive Technologies; and Yossi Reuven of SCADAfence. CODESYS has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
The three reported vulnerabilities are:
Heap-based buffer overflow - CVE-2021-30186,
Stack-based buffer overflow - CVE-2021-30188, and
Improper input validation - CVE-2021-30195.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to cause a heap-based buffer overflow, a stack-based buffer overflow, or a buffer over-read in the affected CODESYS products. This could result in a denial-of-service condition or allow remote code execution.
NOTE: I briefly discussed this vulnerability back in early May, 2021.
V2 Web Server Advisory -
This advisory describes six vulnerabilities in the CODESYS V2 web server. The vulnerabilities were reported by Vyacheslav Moskvin, Sergey Fedonin, and Anton Dorfman of Positive Technologies. CODESYS has new a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
The six reported vulnerabilities are:
Stack-based buffer overflow - CVE-2021-30189,
Improper access control - CVE-2021-30190,
Classic buffer overflow - CVE-2021-30191,
Improperly implemented security check - CVE-2021-30192,
Out-of-bounds write - CVE-2021-30193, and
Out-of-bounds read - CVE-2021-30194
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to read or write arbitrary memory or files in the CODESYS Control runtime system, cause invalid memory accesses to execute code, or crash the CODESYS web server or CODESYS Control runtime system.
NOTE: I briefly discussed this vulnerability back in early May, 2021.
Advantech Advisory
This advisory describes three vulnerabilities in the Advantech WebAccess HMI Designer. The vulnerabilities were reported by kimiya via the Zero Day Initiative. Advantech is still working on mitigation measures.
The three reported vulnerabilities are:
Heap-based buffer overflow - CVE-2021-33000,
Out-of-bounds write - CVE-2021-33002, and
Improper restriction of operations within the bounds of a memory buffer - CVE-2021-33004.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to result in memory corruption and code execution.
Commentary
CODESYS published their advisories for these three NCCIC-ICS advisories back on May 11th, 2021. I do not know why there is the five week delay between the CODESYS publication and the NCCIC-ICS publication. NCCIC-ICS reports what is reported to them. In those rare instances where they do hold up public notification, they report that delay when the advisory is made.
There are all sorts of good reasons for a vendor to delay reporting vulnerabilities; developing mitigation measures or allowing time for major customers to apply mitigation measures are two of the most common. Neither applies here. CODESYS published these vulnerabilities on their public facing web site back in May, so there was no advantage to be gained by delaying the notification of NCCIC-ICS.
What does concern me about the CISA advisories is that I do not recall a single instance where a CODESYS advisory published by DHS was amended to note other vendors applying the fixes identified by CODESYS in their products that are based upon the vulnerable CODESYS product. CODESYS software is reportedly used by a wide variety of other vendors. Not one of the CVE’s published today have a listing in the NIST National Vulnerability Database for a vendor advisory other than CODESYS. In fact, I have looked at all the CVEs in the 2020 CODESYS advisories and the only ones that list other vendors are the WIBU Code Meter vulnerabilities that CODESYS was reporting as affecting their products.
Are other vendors ignoring the CODESYS vulnerabilities in their derivative products? Some may be, but I doubt that they all are. Do they upgrade to newer versions of the third-party software that they use in their products? We do not know. That is one of the reasons that people are pushing for the widespread use of software bills of materials. If the silence surrounding CODESYS derivative vulnerabilities is any indication, I expect to see a strong pushback against any mandate for SBOM’s.
Patrick, Good commentary on the CODESYS issues. I agree about the curious rollout of this issue; it will be interesting to see when other vendors follow suit after the issue has been evaluated.