(I)IoT Security News
News, Vulnerabilities

3S-Smart Software Solutions GmbH CODESYS V3 Products

1. EXECUTIVE SUMMARY

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a remote attacker to disguise the source of malicious communication packets and also exploit a random values weakness affecting confidentiality and integrity of data stored on the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

3S-Smart Software Solutions GmbH reports these vulnerabilities affect the following CODESYS V3 products:

3.2 VULNERABILITY OVERVIEW

3.2.1    USE OF INSUFFICIENTLY RANDOM VALUES CWE-330

The application suffers from weak random values that can affect the confidentiality and integrity of data stored on the device.
CVE-2018-20025 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).

3.2.2    IMPROPER RESTRICTION OF COMMUNICATION CHANNEL TO INTENDED ENDPOINTS CWE-923

The application does not properly restrict communication channels, allowing the source of communication packets to be spoofed.
CVE-2018-20026 has been assigned to this vulnerability. A CVSS v3 base score of 5.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N).

3.3 BACKGROUND

3.4 RESEARCHER

Alexander Nochvay from Kaspersky Lab reported these vulnerabilities to 3-S Smart Software Solutions GmbH.

4. MITIGATIONS

3-S Smart Software Solutions GmbH has released a new version of the software that can be downloaded from:

https://www.codesys.com/download/

For more information, all public CODESYS advisories can be found at:

https://www.codesys.com/security/security-reports.html

3S-Smart Software Solutions GmbH recommends the following general defensive measures to reduce the risk of exploitation of these vulnerabilities:

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

 

Source:

https://ics-cert.us-cert.gov/advisories/ICSA-18-352-04

Related posts

Philips Patient Monitoring Devices

(I) IoT
4 years ago

Wind River VxWorks

(I) IoT
5 years ago

Eaton HMiSoft VU3

(I) IoT
5 years ago
Exit mobile version