Bugs in Codesys V3 SDK could cause RCE, DoS attacks on industrial facilities

Microsoft Threat Research on Thursday reported 15 high-severity vulnerabilities in the Codesys V3 software development kit (SDK) that could put operational technology infrastructure at risk of remote code execution (RCE) and denial-of-service (DoS) attacks.

In a blog post Aug. 10, Microsoft researchers said the vulnerabilities affect all version of Codesys V3 prior to version 3.4.19.0. Codesys operates as a software development environment widely used to program and engineer the programmable logic controllers (PLCs) used in many industrial environments.

Codesys runs compatible with about 1,000 different device types from more than 500 manufacturers and several million devices that use it to implement the international industrial International Electrotechnical Commission 611131-3 standard.

The Microsoft researchers said a DoS attack against a device using a vulnerable version of Codesys could let threat actors shut down a power plant, while an RCE could create a backdoor for devices and let attackers tamper with operations, cause a PLC to run in an unusual way, or steal critical information. However, exploiting the discovered vulnerabilities requires user authentication, as well as deep knowledge of the proprietary protocol of Codesys V3 and the structure of the different services that the protocol uses, said the researchers.

Microsoft researchers said they reported the discovery to Codesys in September 2022 and worked closely with them to ensure that the vulnerabilities were patched. Microsoft also urge Codesys users to apply the security updates as soon as possible, and recommend security teams update the device firmware to version to 3.5.19.0 or above.

Codesys vulnerability could also lead to espionage risks

The vulnerabilities in the Codesys V3 SDK can disrupt operations, strain supply chains, and deteriorate organization reputations, said Saeed Abbasi, manager of vulnerability and threat research at Qualys. Abbasi said financial repercussions can escalate, especially if crucial sectors are hit. Besides direct damages, there's an imminent espionage risk, with attackers potentially extracting sensitive data.

“Industrial system vulnerabilities can draw in advanced adversaries seeking strategic advantage,” said Abbasi. “Alongside overt disruptions, there's a covert risk of prolonged intelligence gathering. One targeted attack might ripple through related systems, and publicizing these flaws could broaden the range of potential cyber threats.”

John Gallagher, vice president of Viakoo Labs, added that these vulnerabilities are particularly threatening, as they are present in cyber-physical systems (such as industrial controls) where attackers can exploit them to create physical damage and destruction just as much as it could lead to data theft. 

“Unlike traditional IT systems, finding and locating vulnerable systems is much harder for operational and industrial control technology,” explained Gallagher. “Unfortunately, the reality for most OT and ICS systems is that they are behind on firmware updates, making the chances very high of a system being vulnerable to the CoDe16 flaws.” 

Joe Saunders, chief executive officer of RunSafe Security, said unfortunately, scanning tools do a poor job of detecting these types of vulnerabilities, and chasing vulnerabilities after exploits are recovered is too late, as the Codesys case demonstrates.

“We need to eliminate the exploitation of the entire class of these vulnerabilities even if a patch is not available, or the attacker will continue to win,” said Saunders.