Critical CODESYS Bug Allows Remote Code Execution

A critical flaw in a web server for the CODESYS automation software for engineering control systems could allow a remote, unauthenticated attacker to crash a server or execute code.

The bug is rated 10 out of 10 on the CVSS v.2 vulnerability severity scale and requires little skill to exploit, the company said. It’s a heap-based buffer overflow – a class of vulnerability where the region of a process’ memory used to store dynamic variables (the heap) can be overwhelmed – and thus be made inaccessible to other processes.

In this case, the bug (CVE-2020-10245) exists in the CODESYS web server, which is used to display CODESYS system visualization screens in a web browser.

“This could crash the web server, lead to a denial-of-service condition or may be utilized for remote code execution,” according to the company’s advisory [PDF]. “As the web server is part of the CODESYS runtime system, this may result in unforeseen behavior of the complete runtime system.”

CODESYS is a software suite used by automation specialists as a development environment for programming controller applications, often found in industrial environments, according to its website. Developed by the Germany-based company Smart Software Solutions (3S) to make the engineering of automated solutions more convenient, it’s a platform-independent development environment that is compatible with programmable logic controller (PLC) hardware and many other automation components available from hundreds of companies.

Bug Details

At issue is the fact that a web-server library called CmpWebServerHandlerV3.dll (file version 3.5.15.20) doesn’t properly validate user-supplied data sent to the web server URL endpoint. An attacker could thus exploit the bug by requesting a very large memory allocation size via a WEB_CLIENT_OPENCONNECTION message sent to the CmpWebServerHandlerV3 component, according to an analysis posted this week by Tenable.

More specifically, “the flaw is due to the fact that the MemGCGetSize function adds 0x5c bytes to the requested allocation size during memory allocation operation,” the analysis read. “The extra 0x5c bytes appears to be used for memory garbage collection purposes. The MemGCGetSize function is called within the SysMemAllocData function, which is used by many CODESYS components to allocate memory from the heap.”

Tenable added, “The CmpWebServerHandlerV3 component (when in state 0) attempts to allocate -1 (0xffffffff) bytes for the communication buffer. When the SysMemAllocData function is called, the memory allocation size gets overflowed and a small (0xffffffff + 0x5c = 0x5b) heap buffer is actually allocated.”

In a proof-of-concept (PoC) posted on GitHub, an exploit is used to terminate a 32-bit “CODESYSControlService.exe” process in the web server.

In CODESYS version 3, the web server (CmpWebServer and CmpWebServerHandler) is an optional part of the CODESYS runtime system. The company said that all versions of CODESYS V3 runtime systems containing the web server prior V3.5.15.40 are affected, regardless of the CPU type or operating system, the advisory said. There’s a patch, so users should update to the latest version (V3.5.15.40).

Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join_Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar. _