Headline
3 New Vulnerabilities Affect OT Products from German Festo and CODESYS Companies
Researchers have disclosed details of three new security vulnerabilities affecting operational technology (OT) products from CODESYS and Festo that could lead to source code tampering and denial-of-service (DoS). The vulnerabilities, reported by Forescout Vedere Labs, are the latest in a long list of flaws collectively tracked under the name OT:ICEFALL. "These issues exemplify either an
Researchers have disclosed details of three new security vulnerabilities affecting operational technology (OT) products from CODESYS and Festo that could lead to source code tampering and denial-of-service (DoS).
The vulnerabilities, reported by Forescout Vedere Labs, are the latest in a long list of flaws collectively tracked under the name OT:ICEFALL.
“These issues exemplify either an insecure-by-design approach — which was usual at the time the products were launched – where manufacturers include dangerous functions that can be accessed with no authentication or a subpar implementation of security controls, such as cryptography,” the researchers said.
The most critical of the flaws is CVE-2022-3270 (CVSS score: 9.8), a critical vulnerability that affects Festo automation controllers using the Festo Generic Multicast (FGMC) protocol to reboot the devices without requiring any authentication and cause a denial of service (DoS) condition.
Another DoS shortcoming in Festo controllers (CVE-2022-3079, CVSS score: 7.5) relates to a case of unauthenticated, remote access to an undocumented web page (“cec-reboot.php”) that could be exploited by an attacker with network access to Festo CPX-CEC-C1 and CPX-CMXX PLCs.
The third issue, on the other hand, concerns the use of weak cryptography in the CODESYS V3 runtime environment to secure download code and boot applications (CVE-2022-4048, CVSS score: 7.7), which could be abused by a bad actor to decrypt and manipulate the source code, thereby undermining confidentiality and integrity protections.
Forescout said it also identified two known CODESYS bugs impacting Festo CPX-CEC-C1 controllers (CVE-2022-31806 and CVE-2022-22515) that stem from an unsafe configuration in the Control runtime environment, and could lead to a denial-of-service sans authentication.
“This is yet another example of a supply chain issue where a vulnerability has not been disclosed for all the products it affects,” the researchers said.
To mitigate potential threats, organizations are recommended to discover and inventory vulnerable devices, enforce appropriate network segmentation controls, and monitor network traffic for anomalous activity.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Related news
Inadequate Encryption Strength in CODESYS Development System V3 versions prior to V3.5.18.40 allows an unauthenticated local attacker to access and manipulate code of the encrypted boot application.
In multiple products by Festo a remote unauthenticated attacker could use functions of an undocumented protocol which could lead to a complete loss of confidentiality, integrity and availability.
Festo control block CPX-CEC-C1 and CPX-CMXX in multiple versions allow unauthenticated, remote access to critical webpage functions which may cause a denial of service.
CODESYS has released patches to address as many as 11 security flaws that, if successfully exploited, could result in information disclosure and a denial-of-service (DoS) condition, among others. "These vulnerabilities are simple to exploit, and they can be successfully exploited to cause consequences such as sensitive information leakage, PLCs entering a severe fault state, and arbitrary code
In CODESYS V2 PLCWinNT and Runtime Toolkit 32 in versions prior to V2.4.7.57 password protection is not enabled by default and there is no information or prompt to enable password protection at login in case no password is set at the controller.