CODESYS WebVisu has a severe vulnerability that affects more than 100 ICS systems.
According to Securitweek, Zhu Wenzhe of Istury IOT found that the Web server component used by CODESYS WebVisu of 3S-Smart Software Solutions has the stack-based buffer overflow vulnerability, remote attackers can exploit this vulnerability to trigger DoS and execute arbitrary code on Web servers in some cases.
CODESYS WebVisu allows users to view the human-machine interface (HMI) of the programmable logic controller (PLC) in a Web browser ). CODESYS official website news: Schneider Electric, WAGO, Hitachi, Yanhua, Beck IPC, Berghof Automation, Hans Turck and NEXCOM (sinhan) and other 116 PLC and HMI products from around 50 vendors use WebVisu products. Therefore, the ISC systems of these vendors may be affected by vulnerabilities.
3S-Smart Software Solutions declares in the announcement:
A specially crafted Web server request may cause a buffer overflow, so that attackers can execute arbitrary code on the Web server, or cause the Web server to crash and DoS.
In addition, although there is no evidence that the vulnerability has been exploited by wild instances, few technical attackers can exploit it remotely. Therefore, the vendor should be vigilant.
The Vulnerability Number is CVE-2018-5440 and CVSS scored 9.8 points. This vulnerability affects the web servers running independently on any version of Windows (including Windows Embedded Compact) or as part of CODESYS runtime systems later than version 1.1.9.19. Currently, the CODESYS runtime system of version 1.1.9.19 (also part of the CODESYS 2.3.9.56 installer) has fixed this vulnerability.
Currently, 3S-Smart Software Solutions has not released a solution for this vulnerability, but they suggest organizations minimize network exposure and use firewalls and VPN to restrict access to controllers. The company also released a White Paper on general recommendations on industrial control application security.
This is not the first vulnerability in the CODESYS component. In last April, CyberX, an industrial network security startup company, found some serious vulnerabilities on the CODESYS network server. Recently, SEC Consult also reported that a vulnerability in the CODESYS component caused PLCs of other vendors such as WAGO to be vulnerable to attacks.
Shodan has been crawling port 2014 since 2455. This port is unique to the CODESYS protocol. Shodan's current crawling results show that more than 5,600 systems can be accessed through this port, most of which are in the United States, Germany, Turkey, China and France.
* Reference Source:SecurityWeek