CVE-2023-3670: VDE-2023-024 | CERT@VDE

2023-07-28 09:45 (CEST) VDE-2023-024

CODESYS: Vulnerability in CODESYS Development System and CODESYS Scripting
Share: Email | Twitter

Published

2023-07-28 09:45 (CEST)

Last update

2023-07-28 09:46 (CEST)

Product(s)

Article No°

Product Name

Affected Version(s)

CODESYS Development System

3.5.9.0 < 3.5.17.0

CODESYS Scripting

4.0.0.0 < 4.1.0.0

CVE ID

Last Update:

July 28, 2023, 9:44 a.m.

Severity

Weakness

Exposure of Resource to Wrong Sphere (CWE-668)

Summary

In CODESYS Development System 3.5.9.0 to 3.5.17.0 and CODESYS Scripting 4.0.0.0 to 4.1.0.0 unsafe directory permissions would allow an attacker with local access to the workstation to place potentially harmful and disguised scripts that could be executed by legitimate users.

Details

Impact

Solution

Update CODESYS Development System to version 3.5.17.0 or newer.

Update CODESYS Scripting to version 4.1.0.0 or newer.

This version can be downloaded and installed directly with the CODESYS Installer. A CODESYS Development
System version of 3.5.17.0 or newer is required.

Alternatively, you can visit the CODESYS update area for more information on how to obtain the software
update.

Reported by

This vulnerability was discovered by Sina Kheirkhah (@SinSinology) of Summoning Team
(@SummoningTeam) working with Trend Micro Zero Day Initiative.
CODESYS coordinated with CERT@VDE.