RCE vulnerability detected in CODESYS industrial controller software

Cybersecurity problems continue to appear, even in the midst of the coronavirus pandemic. A team of Cisco Talos researchers has just revealed the finding of a critical vulnerability in CODESYS Control SoftPLC industrial control software. Identified as CVE-2020-6081, exploiting this security flaw would allow remote threat actors to execute code on the target system. 

CODESYS Control SoftPLC is software that transforms any PC or embedded device into an industrial controller that complies with IEC 61131-3, making it widely used in enterprise environments.

According to cybersecurity experts, the remote code execution vulnerability is related to the functionality of the software PLC_Task. A threat actor could exploit this flaw by sending specially designed packets over the network. The issue affects THE CODESYS Control SoftPLC release and has received a score of 9.9/10 on the Common Vulnerability Scoring System (CVSS) scale.

Application code for CODESYS is compiled in machine code when sent from the software. The CRC-32 algorithm tests the machine code only before it runs in the context of the codeys3 binary code on a separate thread. When creating an .app file with the appropriate architecture shell code, a malicious hacker can run code remotely with the ability to download projects.

This malicious download can be performed through the SSH protocol or Codesys 11740 port using a proprietary protocol. To pass CRC verification, the threat actor must create a .crc file taking into account the CRC-32 algorithm for the entire .app file.

Experts claim that the vulnerability is related to the lack of forced cryptographic verification of the loaded binary. Because authentication can be disabled for port 11740, which is used to offload PLC applications to the device, a cryptographic signature is required to verify that the binary comes from a reliable source. Without cryptographic verification, if the device was configured to block direct access to the device, in addition to the required application logic under IEC 61131, the arbitrary code could run directly on the device with Privileges Related to the Codesys runtime.

More details about this vulnerability, its update patches, and workarounds are available on the official platforms of the developers of the affected products.