Cybersecurity specialists report the detection of multiple vulnerabilities in CODESYS, a development environment for controller programming in accordance with the international industry standard IEC 61131-3. According to the report, successful exploitation of these flaws would allow the execution of arbitrary code and other attack variants.
Below are brief descriptions of the reported flaws, in addition to their respective identification keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).
CVE-2021-21868: Insecure input validation when processing serialized data in objectmanager.plugin Project.get_MissingTypes() functionality would allow threat actors to pass specially crafted data/s into the affected application.
The flaw received a CVSS score of 7.7/10 and its successful execution would allow arbitrary commands to be executed on the target system.
CVE-2021-21863: Insecure input validation when processing serialized data in the ComponentModel Profile.FromFile() functionality would allow remote threat actors to pass specially crafted data to the application and execute arbitrary code on the target system.
This vulnerability received a CVSS score of 7.7/10.
CVE-2021-21865: Insecure input validation when processing serialized data in the PackageManagement.plugin ExtensionMethods.Clone() capability allows threat actors to pass specially crafted data to the affected application.
The flaw received a score of 7.7/10 and its successful exploitation would allow malicious hackers to execute arbitrary commands on the target system.
CVE-2021-21866: Insecure validation of inputs when processing serialized data in the ObjectManager.plugin ProfileInformation.ProfileData functionality could allow malicious hackers to load specially crafted data onto affected systems.
The vulnerability received a CVSS score of 7.7/10 and its successful exploitation would allow arbitrary code execution.
CVE-2021-21867: Insecure input validation when processing serialized data in the ObjectManager.plugin ObjectStream.ProfileByteArray functionality allows threat actors to pass specially crafted data to the target application in order to execute arbitrary code on the vulnerable system.
The vulnerability received a CVSS score of 7.7/10 and its successful execution would allow the full compromise of the affected system.
CVE-2021-21864: Insecure input validation when processing serialized data in componentmodel ComponentManager.StartupCultureSettings functionality would allow remote attackers to pass specially crafted data to the application and execute arbitrary code on the target system.
The flaw received a CVSS score of 7.7/10.
CVE-2021-21869: Insecure input validation when processing serialized data in the Engine.plugin ProfileInformation ProfileData functionality would allow remote attackers to pass specially crafted data to the application and execute arbitrary code on the affected system.
These flaws reside in the following versions of CODESYS Development System: v3.5.16.0 and v3.5.17.0.
While these flaws can be exploited by unauthenticated threat actors remotely, so far no exploit attempts have been detected in real scenarios or the existence of a malware variant associated with the attack.
The flaws have already been addressed, so users of affected versions are encouraged to update as soon as possible. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.