Smart Software Solutions GmbH (3S) manufactures CoDeSys Gateway Server, a Supervisory Control and Data Acquisition/Human-Machine Interface (SCADA/HMI) product. The Gateway Server listens on TCP port 1211.
Problem
3S CoDeSys Gateway Server 2.3.9.27 and earlier is vulnerable to stack buffer overflow. A remote attacker could exploit this vulnerability by sending a specially crafted packet to the Gateway Server on port 1211. Successful attack could result in complete control of the affected system.
This exploit was tested against CoDeSys 2.3.9.31 on Windows Server 2003 SP2 English with DEP OptOut.
Platforms
Windows
{"enchantments": {"score": {"value": 8.4, "vector": "NONE", "modified": "2016-10-03T15:01:57", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-4708"]}, {"type": "saint", "idList": ["SAINT:C7FC10FD840A75F48A5C6FAD9663A6B0", "SAINT:C24887F4CF94B11EC8D5975E27707488"]}, {"type": "ics", "idList": ["ICSA-13-050-01A"]}], "modified": "2016-10-03T15:01:57", "rev": 2}, "vulnersScore": 8.4}, "reporter": "SAINT Corporation", "id": "SAINT:6EE29573702DB029129F0945F74ECFC0", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "published": "2013-04-29T00:00:00", "bulletinFamily": "exploit", "viewCount": 9, "modified": "2013-04-29T00:00:00", "references": [], "cvelist": ["CVE-2012-4708"], "description": "Added: 04/29/2013 \nCVE: [CVE-2012-4708](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4708>) \nBID: [58032](<http://www.securityfocus.com/bid/58032>) \nOSVDB: [90371](<http://www.osvdb.org/90371>) \n\n\n### Background\n\n[Smart Software Solutions GmbH (3S)](<http://www.3s-software.com>) manufactures CoDeSys Gateway Server, a Supervisory Control and Data Acquisition/Human-Machine Interface (SCADA/HMI) product. The Gateway Server listens on TCP port 1211. \n\n### Problem\n\n3S CoDeSys Gateway Server 2.3.9.27 and earlier is vulnerable to stack buffer overflow. A remote attacker could exploit this vulnerability by sending a specially crafted packet to the Gateway Server on port 1211. Successful attack could result in complete control of the affected system. \n\n### Resolution\n\nUpdate to version 2.3.9.38. \n\n### References\n\n<http://ics-cert.us-cert.gov/advisories/ICSA-13-050-01> \n\n\n### Limitations\n\nThis exploit was tested against CoDeSys 2.3.9.31 on Windows Server 2003 SP2 English with DEP OptOut. \n\n### Platforms\n\nWindows \n \n\n", "type": "saint", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/3s_codesys_gateway_server_crafted_packet", "lastseen": "2016-10-03T15:01:57", "edition": 1, "title": "3S CoDeSys Gateway Server Crafted Packet Stack Overflow"}
{"cve": [{"lastseen": "2020-12-09T19:47:24", "description": "Stack-based buffer overflow in 3S CODESYS Gateway-Server before 2.3.9.27 allows remote attackers to execute arbitrary code via a crafted packet.", "edition": 5, "cvss3": {}, "published": "2013-02-24T11:48:00", "title": "CVE-2012-4708", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4708"], "modified": "2013-05-21T03:20:00", "cpe": ["cpe:/a:3s-software:codesys_gateway-server:2.3.5.3", "cpe:/a:3s-software:codesys_gateway-server:2.3.9.1", "cpe:/a:3s-software:codesys_gateway-server:2.3.8.1", "cpe:/a:3s-software:codesys_gateway-server:2.3.8.0", "cpe:/a:3s-software:codesys_gateway-server:2.3.9.19", "cpe:/a:3s-software:codesys_gateway-server:2.3.5.1", "cpe:/a:3s-software:codesys_gateway-server:2.3.9.2", "cpe:/a:3s-software:codesys_gateway-server:2.3.9", "cpe:/a:3s-software:codesys_gateway-server:2.3.7.0", "cpe:/a:3s-software:codesys_gateway-server:2.3.9.3", "cpe:/a:3s-software:codesys_gateway-server:2.3.9.4", "cpe:/a:3s-software:codesys_gateway-server:2.3.6.0", "cpe:/a:3s-software:codesys_gateway-server:2.3.9.5", "cpe:/a:3s-software:codesys_gateway-server:2.3.9.20", "cpe:/a:3s-software:codesys_gateway-server:2.3.9.18", "cpe:/a:3s-software:codesys_gateway-server:2.3.5.2", "cpe:/a:3s-software:codesys_gateway-server:2.3.8.2"], "id": "CVE-2012-4708", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4708", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:3s-software:codesys_gateway-server:2.3.8.2:*:*:*:*:*:*:*", "cpe:2.3:a:3s-software:codesys_gateway-server:2.3.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:3s-software:codesys_gateway-server:2.3.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:3s-software:codesys_gateway-server:2.3.9.19:*:*:*:*:*:*:*", "cpe:2.3:a:3s-software:codesys_gateway-server:2.3.9:*:*:*:*:*:*:*", "cpe:2.3:a:3s-software:codesys_gateway-server:2.3.9.3:*:*:*:*:*:*:*", "cpe:2.3:a:3s-software:codesys_gateway-server:2.3.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:3s-software:codesys_gateway-server:2.3.9.5:*:*:*:*:*:*:*", "cpe:2.3:a:3s-software:codesys_gateway-server:2.3.9.18:*:*:*:*:*:*:*", "cpe:2.3:a:3s-software:codesys_gateway-server:2.3.9.4:*:*:*:*:*:*:*", "cpe:2.3:a:3s-software:codesys_gateway-server:2.3.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:3s-software:codesys_gateway-server:2.3.9.2:*:*:*:*:*:*:*", "cpe:2.3:a:3s-software:codesys_gateway-server:2.3.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:3s-software:codesys_gateway-server:2.3.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:3s-software:codesys_gateway-server:2.3.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:3s-software:codesys_gateway-server:2.3.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:3s-software:codesys_gateway-server:2.3.9.20:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2019-05-29T19:19:32", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-4708"], "edition": 2, "description": "Added: 04/29/2013 \nCVE: [CVE-2012-4708](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4708>) \nBID: [58032](<http://www.securityfocus.com/bid/58032>) \nOSVDB: [90371](<http://www.osvdb.org/90371>) \n\n\n### Background\n\n[Smart Software Solutions GmbH (3S)](<http://www.3s-software.com>) manufactures CoDeSys Gateway Server, a Supervisory Control and Data Acquisition/Human-Machine Interface (SCADA/HMI) product. The Gateway Server listens on TCP port 1211. \n\n### Problem\n\n3S CoDeSys Gateway Server 2.3.9.27 and earlier is vulnerable to stack buffer overflow. A remote attacker could exploit this vulnerability by sending a specially crafted packet to the Gateway Server on port 1211. Successful attack could result in complete control of the affected system. \n\n### Resolution\n\nUpdate to version 2.3.9.38. \n\n### References\n\n<http://ics-cert.us-cert.gov/advisories/ICSA-13-050-01> \n\n\n### Limitations\n\nThis exploit was tested against CoDeSys 2.3.9.31 on Windows Server 2003 SP2 English with DEP OptOut. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-04-29T00:00:00", "published": "2013-04-29T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/3s_codesys_gateway_server_crafted_packet", "id": "SAINT:C7FC10FD840A75F48A5C6FAD9663A6B0", "type": "saint", "title": "3S CoDeSys Gateway Server Crafted Packet Stack Overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:30", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-4708"], "description": "Added: 04/29/2013 \nCVE: [CVE-2012-4708](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4708>) \nBID: [58032](<http://www.securityfocus.com/bid/58032>) \nOSVDB: [90371](<http://www.osvdb.org/90371>) \n\n\n### Background\n\n[Smart Software Solutions GmbH (3S)](<http://www.3s-software.com>) manufactures CoDeSys Gateway Server, a Supervisory Control and Data Acquisition/Human-Machine Interface (SCADA/HMI) product. The Gateway Server listens on TCP port 1211. \n\n### Problem\n\n3S CoDeSys Gateway Server 2.3.9.27 and earlier is vulnerable to stack buffer overflow. A remote attacker could exploit this vulnerability by sending a specially crafted packet to the Gateway Server on port 1211. Successful attack could result in complete control of the affected system. \n\n### Resolution\n\nUpdate to version 2.3.9.38. \n\n### References\n\n<http://ics-cert.us-cert.gov/advisories/ICSA-13-050-01> \n\n\n### Limitations\n\nThis exploit was tested against CoDeSys 2.3.9.31 on Windows Server 2003 SP2 English with DEP OptOut. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2013-04-29T00:00:00", "published": "2013-04-29T00:00:00", "id": "SAINT:C24887F4CF94B11EC8D5975E27707488", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/3s_codesys_gateway_server_crafted_packet", "title": "3S CoDeSys Gateway Server Crafted Packet Stack Overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ics": [{"lastseen": "2020-12-18T03:21:35", "bulletinFamily": "info", "cvelist": ["CVE-2012-4706", "CVE-2012-4704", "CVE-2012-4708", "CVE-2012-4707", "CVE-2012-4705"], "description": "## Overview\n\nThis updated advisory is a follow-up to the original advisory titled ICSA-13-050-01, 3S CODESYS Gateway-Server Vulnerabilities that was published February 19, 2013, on the ICS-CERT Web page.\n\nThis updated advisory provides mitigation details for five vulnerabilities in the 3S-Smart Software Solutions GmbH CODESYS Gateway-Server.\n\nIndependent researcher Aaron Portnoy of Exodus Intelligence has identified five vulnerabilities in the 3S CODESYS Gateway-Server application. 3S has produced a security patch that mitigates these vulnerabilities. Successful exploitation of these vulnerabilities could allow remote code execution. The Gateway-Server is a third-party component found in multiple control systems manufacturer\u2019s products. These vulnerabilities affect products primarily found in the energy, critical manufacturing, and industrial automation industries.\n\nThese vulnerabilities could be exploited remotely.\n\n### **\\--------- Begin Update A Part 1 of 2 --------**\n\nAn exploit that targets one of these vulnerabilities is publicly available. Rapid7 has released a Metasploit module exploiting the directory traversal vulnerability that allows arbitrary file creation that can be used to execute a .mof file in order to gain remote execution within the ICS. \n\n### **\\--------- End Update A Part 1 of 2 ----------**\n\n## Affected Products\n\nThe following 3S CODESYS products are affected:\n\n * Gateway-Server, prior to ver. 2.3.9.27\n\n## Impact\n\nThe 3S security patch covers directory traversal and memory operation restriction vulnerabilities reported to ICS-CERT by Exodus Intelligence.\n\nImpact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\n## Background\n\n3S-Smart Software Solutions GmbH, based in Germany, is the manufacturer of CODESYS, used in the industrial automation field.\n\nAccording to the [3S-Smart Software Solutions GmbH Web site](<http://www.3s-software.com/>), CODESYS is used in virtually all sectors of the automation industry by manufacturers of industrial controllers or intelligent automation devices, by end users in many different industries, or by system integrators who offer automation solutions with CODESYS.\n\n## Vulnerability Characterization\n\n### Vulnerability Overview\n\n#### Improper Access of Indexable Resource (\"Range Error\")a\n\nThe 3S CODESYS Gateway-Server performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. This could allow the attacker to send a specially crafted packet over TCP/1211 to cause a crash, read from unintended memory locations, or execute arbitrary code stored in a separate memory location.\n\n[CVE-2012-4704](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4704>) has been assigned to this vulnerability. A CVSS v2 base score of 9.4 has been assigned; the CVSS vector string is [(AV:N/AC:L/Au:N/C:C/I:N/A:C)](<http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C>).\n\n#### Directory or Path Traversalb\n\nThe 3S CODESYS Gateway-Server uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory. However, the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location outside the restricted directory. An attacker can use a specially crafted directory path to exploit this vulnerability.\n\n[CVE-2012-4705](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4705>) has been assigned to this vulnerability. A CVSS v2 base score of 10.0 has been assigned; the CVSS vector string is [(AV:N/AC:L/Au:N/C:C/I:C/A:C)](<http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C>).\n\n#### Heap-Based Buffer Overflowc\n\nThe 3S CODESYS Gateway-Server fails to check for a signed value that could lead to the buffer being overwritten with malicious code. This vulnerability is exploited by sending a specially crafted packet over TCP/1211 affecting the availability of the system.\n\n[CVE-2012-4706](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4706>) has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is [(AV:N/AC:L/Au:N/C:N/I:N/A:C)](<http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C>).\n\n#### Improper Restriction of Operations Within the Bounds of a Memory Bufferd\n\nThe 3S CODESYS Gateway-Server can read or write to a memory location that is outside the intended boundary of the buffer. As a result, an attacker may execute arbitrary code, alter the intended control flow, read sensitive information, or cause a system crash.\n\n[CVE-2012-4707](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4707>) has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is [(AV:N/AC:L/Au:N/C:N/I:N/A:C)](<http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C>).\n\n#### Stack-Based Buffer Overflowe\n\nBy sending a specially crafted packet to the 3S CODESYS Gateway-Server over Port TCP/1211, an attacker can cause a stack-based buffer overflow. This condition could allow an attacker to cause a system crash or denial of service.\n\n[CVE-2012-4708](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4708>) has been assigned to this vulnerability. A CVSS v2 base score of 10 has been assigned; the CVSS vector string is [(AV:N/AC:L/Au:N/C:C/I:C/A:C)](<http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C>).\n\n### Vulnerability Details\n\n#### Exploitability\n\nThese vulnerabilities could be exploited remotely.\n\n#### Existence of Exploit\n\n### **\\--------- Begin Update A Part 2 of 2 --------**\n\nA publicly available Metasploit module exploits the directory traversal vulnerability.\n\n### **\\--------- End Update A Part 2 of 2 ----------**\n\n#### Difficulty\n\nAn attacker with a moderate skill would be able to exploit these vulnerabilities.\n\n## Mitigation\n\n3S has produced a security patch that mitigates these vulnerabilities. The patch is available on the [download site for CODESYS: CODESYS V2.3.9.38](<http://www.codesys.com/download.html.>) (customer login required).\n\nICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.\n\n * Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.\n\nICS-CERT also provides a section for control systems security recommended practices on the US-CERT Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.\n\nAdditional mitigation guidance and recommended practices are publicly available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01B\u2014Targeted Cyber Intrusion Detection and Mitigation Strategies.\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.\n\n * a. http://cwe.mitre.org/data/definitions/118.html\n * b. http://cwe.mitre.org/data/definitions/22.html\n * c. http://cwe.mitre.org/data/definitions/122.html\n * d. http://cwe.mitre.org/data/definitions/119.html\n * e. http://cwe.mitre.org/data/definitions/121.html\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://surveymonkey.com/r/G8STDRY?product=https://us-cert.cisa.gov/ics/advisories/ICSA-13-050-01A>); we'd welcome your feedback.\n", "edition": 16, "modified": "2018-09-06T00:00:00", "published": "2013-03-27T00:00:00", "id": "ICSA-13-050-01A", "href": "https://www.us-cert.gov//ics/advisories/ICSA-13-050-01A", "title": "3S CODESYS Gateway-Server Vulnerabilities (Update A)", "type": "ics", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
