CVE-2023-3669: VDE-2023-023 | CERT@VDE

2023-08-03 13:08 (CEST) VDE-2023-023

CODESYS: Missing Brute-Force protection in CODESYS Development System
Share: Email | Twitter

Published

2023-08-03 13:08 (CEST)

Last update

2023-08-03 13:08 (CEST)

Product(s)

Article No°

Product Name

Affected Version(s)

CODESYS Development System

< 3.5.19.20

Summary

The CODESYS Development System does not limit the number of attempts to guess the password within an import dialog.

CVE ID

Last Update:

Aug. 3, 2023, 1:08 p.m.

Severity

Weakness

Improper Restriction of Excessive Authentication Attempts (CWE-307)

Summary

A missing Brute-Force protection in CODESYS Development System prior to 3.5.19.20 allows a local attacker to have unlimited attempts of guessing the password within an import dialog.

Details

Impact

A limited amount of information can be obtained by a local attacker if the brute-force attack was successful.

Solution

Update the CODESYS Development System to version 3.5.19.20.

The CODESYS Development System can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store.

Alternatively, you will find further information on obtaining the software update in the CODESYS Update area

Reported by

This vulnerability was reported by an OEM customer.

Coordination done by CERT@VDE.