Headline
CVE-2023-3663: VDE-2023-022 | CERT@VDE
In CODESYS Development System versions from 3.5.11.20 and before 3.5.19.20 a missing integrity check might allow an unauthenticated remote attacker to manipulate the content of notifications received via HTTP by the CODESYS notification server.
2023-08-03 12:52 (CEST) VDE-2023-022
CODESYS: Missing integrity check in CODESYS Development System
Share: Email | Twitter
Published
2023-08-03 12:52 (CEST)
Last update
2023-08-03 12:52 (CEST)
Product(s)
Article No°
Product Name
Affected Version(s)
CODESYS Development System
3.5.11.0 < 3.5.19.20
Summary
The Notification Center of the CODESYS Development System receives messages without ensuring that the message was not modified during transmission. This finally enables MITMs code execution when the user clicks the “Learn More” button.
CVE ID
Last Update:
Aug. 3, 2023, 12:52 p.m.
Severity
Weakness
Insufficient Verification of Data Authenticity (CWE-345)
Summary
In CODESYS Development System versions from 3.5.11.20 and before 3.5.19.20 a missing integrity check might allow an unauthenticated remote attacker to manipulate the content of notifications received via HTTP by the CODESYS notification server.
Details
Solution
Update the CODESYS Development System to version 3.5.19.20.
The CODESYS Development System can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store.
Alternatively, you will find further information on obtaining the software update in the CODESYS Update area
Reported by
This vulnerability was discovered by Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative.
Coordination done by CERT@VDE.