Several new critical flaws affect CODESYS industrial automation software


Cyber ​​security researchers on Wednesday revealed several security vulnerabilities affecting CODESYS automation software and WAGO programmable logic controller (PLC) platform that could be remotely exploited to take control of the operational technology infrastructure ( OT) cloud of a company.

The flaws can be turned “into innovative attacks that could put threat actors in a position to remotely control a company’s cloud-based OT implementation and threaten any industrial process managed from the cloud”, New York-based industrial security firm Claroty said in a shared report. with The Hacker News, adding that they “can be used to target a cloud-based management console from a compromised field device, or take control of a company’s cloud and attack programmable logic controllers and ‘other devices to disrupt operations “.

Stack Overflow Teams

CODESYS is a development environment for programming controller applications, allowing easy configuration of PLCs in industrial control systems. WAGO PFC100 / 200 is a series of PLCs that use the CODESYS platform to program and configure the controllers.

The list of the seven vulnerabilities is listed below –

  • CVE-2021-29238 (CVSS score: 8.0) – Falsification of cross-site requests in CODESYS Automation Server
  • CVE-2021-29240 (CVSS score: 7.8) – Insufficient verification of data authenticity in CODESYS Package Manager
  • CVE-2021-29241 (CVSS score: 7.5) – Zero pointer dereference in CODESYS V3 products containing the CmpGateway component
  • CVE-2021-34569 (CVSS score: 10.0) – WAGO PFC diagnostic tools – Write out of range
  • CVE-2021-34566 (CVSS score: 9.1) – WAGO PFC iocheckd “I / O-Check” service – Shared buffer overflow
  • CVE-2021-34567 (CVSS score: 8.2) – WAGO PFC service iocheckd “I / O-Check” – Reading out of range
  • CVE-2021-34568 (CVSS score: 7.5) – WAGO PFC iocheckd “I / O-Check” service – Unlimited resource allocation

Successful exploitation of vulnerabilities could allow installation of malicious CODESYS packages, cause a denial of service (DoS) condition or lead to elevation of privilege through the execution of malicious JavaScript code, and worse, manipulation or disruption. complete device.


In nature, this could happen in one of two ways: “from the bottom up” or “from the top down”. Twin approaches mimic the paths an adversary is likely to take to control a PLC endpoint in order to potentially compromise the cloud-based management console, or conversely, requisition the cloud in order to manipulate all devices. networked field.

Prevent data breaches

In a complex “bottom-up” exploitation chain designed by Claroty, a mixture of CVE-2021-34566, CVE-2021-34567 and CVE-2021-29238 was exploited to achieve remote code execution on the WAGO PLC, only to gain access to the CODESYS WebVisu human-machine interface and set up a cross-site request forgery attack (CSRF) to take control of the CODESYS automation server instance.


“An attacker who obtains access to a PLC managed by Automation Server Cloud can modify the ‘webvisu.js’ file and add JavaScript code at the end of the file which will send a malicious request to the cloud server on behalf of the logged in user”, explained Claroty’s lead researcher Uri Katz, who discovered and reported the flaws.

“When a cloud user views the WebVisu page, the modified JavaScript code exploits the absence of a CSRF token and runs in the context of the user viewing it; the request will include the CAS cookie. Attackers can do this. use for POST on ‘/ api / db / User’ with a new administrator user, giving them full access to the CODESYS cloud platform, ”Katz added.

On the other hand, another “top-down” attack scenario is to compromise the CODESYS engineering station by deploying a malicious package (CVE-2021-29240) designed to disclose cloud credentials associated with an account of operator and then using it. to alter the programmed logic and gain unlimited access to all connected PLCs.


“Organizations moving forward with cloud-based management of OT and ICS devices should be aware of the inherent risks and increased threats of attackers eager to target industrial enterprises with extortion-based attacks, including ransomware, and more sophisticated attacks that can cause physical damage, ”Katz said.

The disclosures mark the second critical flaws that have been discovered in CODESYS and WAGO PLCs in as many months. In June, researchers at Positive Technologies revealed ten critical vulnerabilities in the software’s web server and execution system components that could be exploited to achieve remote code execution on PLCs.

The development also comes a week after IoT security firm Armis revealed a critical authentication bypass vulnerability affecting Schneider Electric Modicon PLCs – dubbed “ModiPwn” (CVE-2021-22779) – which could be exploited to enable a full control over the controller, including overwriting critical regions of memory, leaking sensitive memory content, or calling internal functions.

In a related report released earlier in May, Claroty disclosed a memory protection bypass vulnerability in Siemens SIMATIC S7-1200 and S7-1500 controllers (CVE-2020-15782) that could be exploited by an actor malicious to remotely access protected areas. memory and get unlimited undetected code execution.

The revelations also coincide with a joint cybersecurity advisory issued by the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) documenting a landmark spear-phishing and intrusion campaign by Chinese actors sponsored by State from December 2011 to 2013, targeting 23 oil and natural gas pipeline operators (NGOs) in the country.

“The CISA and the FBI believe that these actors specifically targeted US pipeline infrastructure with the aim of endangering US pipeline infrastructure,” the agencies said. “In addition, the CISA and the FBI believe that this activity was ultimately intended to help China develop cyberattack capabilities against US pipelines to physically damage pipelines or disrupt pipeline operations.”


Leave A Reply