Multiple security flaws have been discovered in CODESYS automation software and the WAGO programmable logic controller (PLC) platform that may be remotely abused to take control of a company’s cloud operational technology (OT) infrastructure, according to cybersecurity researchers. CODESYS is a programming environment for controller applications that makes it simple to configure PLCs in industrial control systems. The WAGO PFC100/200 is a family of PLCs that use the CODESYS platform for programming and configuration. CODESYS software is used by automotive-related businesses like WAGO, Beckhoff, Kontron, Moeller, Festo, and Mitsubishi to program and configure their controllers.

According to Claroty, a New York-based industrial security firm, the weaknesses may be transformed into new assaults that might put threat actors in position to remotely manipulate a company’s cloud OT implementation, and endanger any industrial process monitored from the cloud. They can be used to target a cloud-based management console from a compromised field device or take over a company’s cloud and attack PLCs and other devices to disrupt operations.

The newly listed vulnerabilities have scored above 7.5 on the Common Vulnerability Scoring System (CVSS) scale:

  • CVE-2021-29238 (CVSS score: 8.0) – Cross-site request forgery in CODESYS Automation Server
  • CVE-2021-29240 (CVSS score: 7.8) – Insufficient Verification of Data Authenticity in CODESYS Package Manager
  • CVE-2021-29241 (CVSS score: 7.5) – Null pointer dereference in CODESYS V3 products containing the CmpGateway component
  • CVE-2021-34569 (CVSS score: 10.0) – WAGO PFC diagnostic tools – Out-of-bounds write
  • CVE-2021-34566 (CVSS score: 9.1) – WAGO PFC iocheckd service ”I/O-Check” – Shared memory buffer overflow
  • CVE-2021-34567 (CVSS score: 8.2) – WAGO PFC iocheckd service ”I/O-Check” – Out-of-bounds read
  • CVE-2021-34568 (CVSS score: 7.5) – WAGO PFC iocheckd service ”I/O-Check” – Allocation of resources without limits

Successful exploitation of the weaknesses might lead to the installation of malicious CODESYS packages, a denial-of-service (DoS) scenario, privilege escalation via malicious JavaScript code execution, and, worse, device manipulation or full disruption.

Claroty senior researcher Uri Katz discovered and reported the flaws. According to him, ”An attacker that obtains access to a PLC managed by the Automation Server Cloud can modify the ’webvisu.js’ file and append JavaScript code to the end of the file that will send a malicious request to the cloud server on behalf of the logged in user”. Katz added, ”When a cloud user views the WebVisu page, the modified JavaScript will exploit the lack of CSRF token and run in the context of the user viewing it; the request will include the CAS cookie. Attackers can use this to POST to ’/api/db/User’ with a new administrator user, giving them full access to the CODESYS cloud platform”.

Written by Nishat Mowla