cvelistv5 - cve-2012-6068

CVE-2012-6068 (GCVE-0-2012-6068)

Vulnerability from cvelistv5 – Published: 2013-01-21 21:00 – Updated: 2025-07-02 20:12

Summary

The Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x does not require authentication, which allows remote attackers to execute commands via the command-line interface in the TCP listener service or transfer files via requests to the TCP listener service.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-284

Assigner

icscert

References

URL

GHSA-HH9J-6V4H-23Q7

Vulnerability from github – Published: 2022-05-17 04:44 – Updated: 2025-07-02 21:31

Details

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2012-6068"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-01-21T21:55:00Z",
    "severity": "HIGH"
  },
  "details": "The Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x does not require authentication, which allows remote attackers to (1) execute commands via the command-line interface in the TCP listener service or (2) transfer files via requests to the TCP listener service.",
  "id": "GHSA-hh9j-6v4h-23q7",
  "modified": "2025-07-02T21:31:54Z",
  "published": "2022-05-17T04:44:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6068"
    },
    {
      "type": "WEB",
      "url": "https://us.codesys.com/ecosystem/security"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-01"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-084-01"
    },
    {
      "type": "WEB",
      "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-084-01"
    },
    {
      "type": "WEB",
      "url": "http://www.codesys.com/news-events/press-releases/detail/article/sicherheitsluecke-in-codesys-v23-laufzeitsystem.html"
    },
    {
      "type": "WEB",
      "url": "http://www.digitalbond.com/tools/basecamp/3s-codesys"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-01.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

ICSA-14-084-01

Vulnerability from csaf_cisa - Published: 2014-12-26 07:00 - Updated: 2025-06-06 22:55

Summary

Festo CECX-X-(C1/M1) Controller Vulnerabilities

Notes

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation.

Recommended Practices

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

Recommended Practices

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

Recommended Practices

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Recommended Practices

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Recommended Practices

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

Recommended Practices

CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the risk of exploitation.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Locate control system networks and remote devices behind firewalls and isolating them from business networks.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.",
        "title": "Recommended Practices"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "central@cisa.dhs.gov",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-14-084-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2014/icsa-14-084-01.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-14-084-01 - Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-084-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/topics/industrial-control-systems"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/sites/default/files/publications/emailscams0905.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ncas/tips/ST04-014"
      }
    ],
    "title": "Festo CECX-X-(C1/M1) Controller Vulnerabilities",
    "tracking": {
      "current_release_date": "2025-06-06T22:55:26.819560Z",
      "generator": {
        "date": "2025-06-06T22:55:26.819496Z",
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-14-084-01",
      "initial_release_date": "2014-12-26T07:00:00.000000Z",
      "revision_history": [
        {
          "date": "2014-12-26T07:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "Initial Publication"
        },
        {
          "date": "2025-06-06T22:55:26.819560Z",
          "legacy_version": "CSAF Conversion",
          "number": "2",
          "summary": "Advisory converted into a CSAF"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "Festo CECX-X-C1 Modular Master Controller with CoDeSys: vers:all/*",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "CECX-X-C1 Modular Master Controller with CoDeSys"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "Festo CECX-X-M1 Modular Controller with CoDeSys and SoftMotion: vers:all/*",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "CECX-X-M1 Modular Controller with CoDeSys and SoftMotion"
          }
        ],
        "category": "vendor",
        "name": "Festo"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2014-0760",
      "cwe": {
        "id": "CWE-287",
        "name": "Improper Authentication"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion provide an undocumented access method involving the FTP protocol, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Festo has decided not to resolve these vulnerabilities, placing critical infrastructure asset owners using this product at risk. This advisory is being published to alert critical infrastructure asset owners of the risk of using this equipment, and to increase compensating security measures if possible.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        },
        {
          "category": "mitigation",
          "details": "Some of these compensating measures can be: Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls, and isolate them from the business network. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices. Investigate the practicality of configuring and deploying an intrusion detection system (IDS) to log and monitor the control system network, as well as adjacent networks. Configure, activate, and test existing defenses, such as port security and traffic logging, among other defensive strategies in the recommended practices document listed below.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "baseScore": 9.3,
            "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2014-0769",
      "cwe": {
        "id": "CWE-287",
        "name": "Improper Authentication"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion do not require authentication for connections to certain TCP ports, which allows remote attackers to (1) modify the configuration via a request to the debug service on port 4000 or (2) delete log entries via a request to the log service on port 4001.",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Festo has decided not to resolve these vulnerabilities, placing critical infrastructure asset owners using this product at risk. This advisory is being published to alert critical infrastructure asset owners of the risk of using this equipment, and to increase compensating security measures if possible.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        },
        {
          "category": "mitigation",
          "details": "Some of these compensating measures can be: Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls, and isolate them from the business network. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices. Investigate the practicality of configuring and deploying an intrusion detection system (IDS) to log and monitor the control system network, as well as adjacent networks. Configure, activate, and test existing defenses, such as port security and traffic logging, among other defensive strategies in the recommended practices document listed below.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "baseScore": 9.3,
            "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2012-6068",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x does not require authentication, which allows remote attackers to (1) execute commands via the command-line interface in the TCP listener service or (2) transfer files via requests to the TCP listener service.",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Festo has decided not to resolve these vulnerabilities, placing critical infrastructure asset owners using this product at risk. This advisory is being published to alert critical infrastructure asset owners of the risk of using this equipment, and to increase compensating security measures if possible.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        },
        {
          "category": "mitigation",
          "details": "Some of these compensating measures can be: Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls, and isolate them from the business network. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices. Investigate the practicality of configuring and deploying an intrusion detection system (IDS) to log and monitor the control system network, as well as adjacent networks. Configure, activate, and test existing defenses, such as port security and traffic logging, among other defensive strategies in the recommended practices document listed below.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "baseScore": 10.0,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2012-6069",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Directory traversal vulnerability in the Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x allows remote attackers to read, overwrite, or create arbitrary files via a .. (dot dot) in a request to the TCP listener service.",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Festo has decided not to resolve these vulnerabilities, placing critical infrastructure asset owners using this product at risk. This advisory is being published to alert critical infrastructure asset owners of the risk of using this equipment, and to increase compensating security measures if possible.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        },
        {
          "category": "mitigation",
          "details": "Some of these compensating measures can be: Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls, and isolate them from the business network. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices. Investigate the practicality of configuring and deploying an intrusion detection system (IDS) to log and monitor the control system network, as well as adjacent networks. Configure, activate, and test existing defenses, such as port security and traffic logging, among other defensive strategies in the recommended practices document listed below.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "baseScore": 10.0,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ]
    }
  ]
}

VAR-201301-0110

Vulnerability from variot - Updated: 2023-12-18 13:03

The Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x does not require authentication, which allows remote attackers to (1) execute commands via the command-line interface in the TCP listener service or (2) transfer files via requests to the TCP listener service. CoDeSys is a PLC software programming tool that supports IEC61131-3 standard IL, ST, FBD, LD, CFC, SFC six PLC programming languages. CoDeSys has an Access Verification Bypass vulnerability that allows an attacker to exploit an exploit for unauthorized access or to perform unauthorized configuration changes, including arbitrary code execution. The CoDeSys Runtime Toolkit does not require user authentication when connecting devices, allowing an attacker to gain administrator privileges on the device and thereby control the application device. The WAGO IPC 758-870 is prone to a security-bypass vulnerability caused by a hard-coded password. CoDeSys is prone to a security-bypass vulnerability that may allow attackers to perform actions without proper authentication. Successfully exploiting this issue may also result in arbitrary code-execution. 3S-Smart Software Solutions CoDeSys is a set of PLC (Programmable Logic Controller) software programming tools from 3S-Smart Software Solutions in Germany. Runtime Toolkit is the runtime toolkit of CoDeSys. ----------------------------------------------------------------------

The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/

TITLE: CoDeSys Authentication Bypass and Directory Traversal Vulnerabilities

SECUNIA ADVISORY ID: SA51847

VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51847/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51847

RELEASE DATE: 2013-01-14

DISCUSS ADVISORY: http://secunia.com/advisories/51847/#comments

AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s)

http://secunia.com/advisories/51847/

ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS

https://ca.secunia.com/?page=viewadvisory&vuln_id=51847

ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING

http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

DESCRIPTION: Digital Bond has reported two vulnerabilities in CoDeSys, which can be exploited by malicious people to bypass certain security restrictions and compromise a vulnerable system.

1) An error within the authentication mechanism does not properly restrict access to the device and can be exploited to perform certain administrative tasks.

2) Certain input passed to the file transfer functionality is not properly verified before being used to access files. This can be exploited to read, delete, or upload arbitrary files via directory traversal sequences.

The vulnerabilities are reported in versions 2.3.x and 2.4.x.

SOLUTION: Apply patches (please contact the vendor for more information).

PROVIDED AND/OR DISCOVERED BY: Reid Wightman, Digital Bond.

ORIGINAL ADVISORY: ICS-CERT (ICSA-13-011-01): http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-01.pdf

CoDeSys: http://www.codesys.com/news-events/press-releases/detail/article/sicherheitsluecke-in-codesys-v23-laufzeitsystem.html

OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/

DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/

EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/

EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/

EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/

About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities.

Subscribe: http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/

Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.

Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

. SEC Consult Vulnerability Lab Security Advisory < 20171130-0 > ======================================================================= title: Critical CODESYS vulnerabilities product: WAGO PFC 200 Series, see "Vulnerable / tested versions" vulnerable version: plclinux_rt 2.4.7.0, see "Vulnerable / tested versions" fixed version: PFC200 FW11 CVE number: - impact: critical homepage: https://www.codesys.com found: 2017-07-28 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab

                 An integrated part of SEC Consult
                 Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
                 Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

                 https://www.sec-consult.com

=======================================================================

Vendor description:

"The WAGO-I/O-SYSTEM is a flexible fieldbus-independent solution for decentralized automation tasks. With the relay, function and interface modules, as well as overvoltage protection, WAGO provides a suitable interface for any application."

Source: http://global.wago.com/en/products/product-catalog/ components-automation/overview/index.jsp

"The PFC family of controllers offers advanced compact, computing power for PLC programming and process visualization. Programmable in accordance with IEC 61131-3 600, PFC controllers feature a 600 MHz ARM Cortex A8 processor that offers high speed processing and support of 64 bit variables."

Source: http://www.wago.us/products/components-for-automation/modular-io-system-series-750-753/programmable-fieldbus-controller/pfc200/index.jsp

Business recommendation:

Because of the use in industrial and safety-critical environments the patch has to be applied as soon as it is available. We explicitly point out to all users in this sector that this device series in the mentioned device series with firmware 02.07.07(10) should not be connected directly to the internet (or even act as gateway) since it is very likely that an attacker can compromise the whole network via such an device.

SEC Consult recommends not to use this product in a production environment until a thorough security review has been performed by security professionals.

Vulnerability overview/description:

The "plclinux_rt" service accepts different unauthenticated actions.

This vulnerability contains the architectural security problems described by Reid Wightman. The SDK of "plclinux_rt" is written by the same vendor (3S). Therefore, the file commands of "Digital Bond's 3S CODESYS Tools", created around 2012 are applicable. (See https://ics-cert.us-cert.gov/advisories/ICSA-13-011-01)

The CODESYS command-line is protected with login credentials, that's why the shell of the mentioned tools does not provide root access out of the box. But after some investigation it was clear that there are further functions which are reachable without using the command-line and without any authentication.

These functions in "plclinux_rt" can be triggered by sending the correct TCP payload on the bound port (by default 2455).

Some of the triggerable functions are: * Arbitrary file read/write/delete (also covered by "Digital Bond's Tools") * Step over a function in the currently executed PLC program * Cycle step any function in the currently executed PLC program * Delete the current variable list of the currently executed PLC program * And more functions...

Since SSH is activated by default, an unauthenticated attacker can rewrite "/etc/shadow" and gain root privileges easily via these attack vectors!

1) Critical Improper Authentication / Design Issue Files can be fetched, written and deleted. Running tasks on the PLC can be restarted, stepped and crashed.

An attacker can therefore replace the password hash in the shadow file. A memory corruption (and potential reverse-shell) is also possible via arbitrary TCP packets.

There are potentially more commands which can be triggered, but this was not covered by the short security crash test.

Proof of concept:

As there is no patch available yet, the detailed proof of concept information has been removed from this advisory.

1) Critical Improper Authentication / Design Issue Two payloads are specified here as proof of concept for file manipulation. Four payloads for live program manipulation are also listed.

File read and delete without any authentication.

Read "/etc/shadow": echo '[PoC removed]' | xxd -r -p | nc

Delete "/etc/test": echo '[PoC removed]' | xxd -r -p | nc

Runnning PLC tasks could be modified with the following payloads:

Step over function: echo '[PoC removed]' | xxd -r -p | nc

Cycle step function: echo '[PoC removed]' | xxd -r -p | nc

Delete variable list (produces stack-trace / denial of service): echo '[PoC removed]' | xxd -r -p | nc

The actual function is chosen by the 7th byte in the latter payloads. E.g.: 0x31 -> read file 0x36 -> delete file 0x0a -> step over 0x24 -> cycle step 0x15 -> delete variable list

There are much more functions hidden in the "plclinux_rt" binary. This is just an excerpt of a few available functions.

These functions can be examined from "SrvComputeService". Two pseudo code snippets generated by IDA Pro shows some examples (the functionality can be quickly determined from the corresponding debug message): [PoC removed from this advisory]

Vulnerable / tested versions:

WAGO PFC200 Series / Firmware 02.07.07(10) (17 affected devices) 750-8202 750-8202/025-000 750-8202/025-001 750-8202/025-002 750-8202/040-001 750-8203 750-8203/025-000 750-8204 750-8204/025-000 750-8206 750-8206/025-000 750-8206/025-001 750-8207 750-8207/025-000 750-8207/025-001 750-8208 750-8208/025-000

The WAGO contact stated during a call that all PLCs of the 750-88X Series are not vulnerable due to a custom fix from WAGO. The contact also stated that the PLCs of the 750-810X (PFC100) series are also not vulnerable because they have CODESYS 3.5 deployed.

Devices of any other vendor which use the CODESYS 2.3.X/2.4.X runtime are potentially prone to the same vulnerability.

Vendor contact timeline:

2017-08-02: Contacting vendor through info@wago.com and set the publication date to 2017-09-21. 2017-08-09: Sending a reminder to info@wago.com 2017-08-16: Found a dedicated security contact of WAGO. Contacting this employee via e-mail. 2017-08-17: Contact responds that he will read the redirected e-mail from info@wago.com. Sending e-mail to contact that the message sent to info@wago.com does not contain the actual advisory and that an encrypted channel should be used for transmission. 2017-08-22: Sending reminder to contact and re-transmitting the responsible disclosure policy and all possible ways to transmit the advisory. 2017-08-29: Uploading advisory to WAGO ShareFile. 2017-09-15: Telephone call with WAGO contact. Discussion about the vulnerability. Fix will be available in the next firmware version. Vendor clarified that series 750-88X is not prone to the reported vulnerability. Set the publication date to 2017-09-28. 2017-09-26: Telephone call with vendor. Vendor is working on a fix of the vulnerabilities. Set the publication date to 2017-10-12. 2017-10-06: Sending a reminder to the vendor; No answer. 2017-10-11: Sending a reminder to the vendor. Vendor states that they are working on an update and a timeline for the fix will be provided on 2017-10-13. 2017-10-13: Asked for an update; No answer. 2017-10-17: Informing the vendor that the publication date was set to 2017-10-23. 2017-10-19: Vendor responds that vulnerability in PFC200 series will be patched in firmware version FW12. Set publication date to 2017-10-27 and asked the vendor for a time-line regarding the PFC100 series. 2017-10-20: Vendor responds that PFC100 series is not vulnerable since it does not contain CODESYS 2.4 run-time. Vendor corrected the firmware to version FW11. The patch will be available in January 2018. 2017-10-30: Informed vendor that the advisory will be published on 2017-11-30. 2017-11-30: Advisory release

Solution:

Update your WAGO PFC200 Series to firmware version FW11 as soon as it is available. In the meantime, see the workaround section.

Workaround:

Delete "plclinux_rt" or close the programming port (2455). Network access to the device should be restricted.

Advisory URL:

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult

EOF T. Weber / @2017

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201301-0110",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "codesys runtime system",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "3s",
        "version": "2.3.9.8"
      },
      {
        "model": "codesys runtime system",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "3s",
        "version": "2.3.9.35"
      },
      {
        "model": "codesys runtime system",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "3s",
        "version": "2.3.9.36"
      },
      {
        "model": "codesys runtime system",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "3s",
        "version": "2.4.0"
      },
      {
        "model": "codesys runtime system",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "3s",
        "version": "2.3.9.37"
      },
      {
        "model": "wago",
        "scope": "eq",
        "trust": 1.2,
        "vendor": "wago",
        "version": "758-870"
      },
      {
        "model": "codesys",
        "scope": "eq",
        "trust": 0.9,
        "vendor": "3s smart",
        "version": "2.3"
      },
      {
        "model": "codesys",
        "scope": "eq",
        "trust": 0.9,
        "vendor": "3s smart",
        "version": "2.3.9.32"
      },
      {
        "model": "codesys",
        "scope": "eq",
        "trust": 0.9,
        "vendor": "3s smart",
        "version": "3.4"
      },
      {
        "model": "codesys",
        "scope": "eq",
        "trust": 0.9,
        "vendor": "3s smart",
        "version": "3.5"
      },
      {
        "model": "codesys control runtime system",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "3s smart",
        "version": "2.3.x"
      },
      {
        "model": "codesys control runtime system",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "3s smart",
        "version": "2.4.x"
      },
      {
        "model": "cecx-x-c1 modular master controller",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "festo",
        "version": "with codesys"
      },
      {
        "model": "cecx-x-m1 modular controller",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "festo",
        "version": "with codesys and softmotion"
      },
      {
        "model": "codesys",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "3s smart",
        "version": "2.x"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.4,
        "vendor": "codesys runtime system",
        "version": "2.3.9.8"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.4,
        "vendor": "codesys runtime system",
        "version": "2.3.9.35"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.4,
        "vendor": "codesys runtime system",
        "version": "2.3.9.36"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.4,
        "vendor": "codesys runtime system",
        "version": "2.3.9.37"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.4,
        "vendor": "codesys runtime system",
        "version": "2.4.0"
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "21283762-2353-11e6-abef-000c29c66e3d"
      },
      {
        "db": "IVD",
        "id": "95311fba-1f6c-11e6-abef-000c29c66e3d"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2012-1827"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2013-00303"
      },
      {
        "db": "BID",
        "id": "52940"
      },
      {
        "db": "BID",
        "id": "52942"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-001224"
      },
      {
        "db": "NVD",
        "id": "CVE-2012-6068"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201204-108"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:3s-software:codesys_runtime_system:2.3.9.37:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:3s-software:codesys_runtime_system:2.3.9.35:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:3s-software:codesys_runtime_system:2.3.9.8:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:3s-software:codesys_runtime_system:2.3.9.36:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:3s-software:codesys_runtime_system:2.4.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2012-6068"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Reid Wightman of Digital Bond",
    "sources": [
      {
        "db": "BID",
        "id": "52940"
      },
      {
        "db": "BID",
        "id": "52942"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201210-641"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201204-108"
      }
    ],
    "trust": 1.8
  },
  "cve": "CVE-2012-6068",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Complete",
            "baseScore": 10.0,
            "confidentialityImpact": "Complete",
            "exploitabilityScore": null,
            "id": "CVE-2012-6068",
            "impactScore": null,
            "integrityImpact": "Complete",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "IVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "21283762-2353-11e6-abef-000c29c66e3d",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.2,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.9 [IVD]"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "IVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "95311fba-1f6c-11e6-abef-000c29c66e3d",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.2,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.9 [IVD]"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "VHN-59349",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2012-6068",
            "trust": 1.8,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201204-108",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "IVD",
            "id": "21283762-2353-11e6-abef-000c29c66e3d",
            "trust": 0.2,
            "value": "CRITICAL"
          },
          {
            "author": "IVD",
            "id": "95311fba-1f6c-11e6-abef-000c29c66e3d",
            "trust": 0.2,
            "value": "CRITICAL"
          },
          {
            "author": "VULHUB",
            "id": "VHN-59349",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "21283762-2353-11e6-abef-000c29c66e3d"
      },
      {
        "db": "IVD",
        "id": "95311fba-1f6c-11e6-abef-000c29c66e3d"
      },
      {
        "db": "VULHUB",
        "id": "VHN-59349"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-001224"
      },
      {
        "db": "NVD",
        "id": "CVE-2012-6068"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201204-108"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "The Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x does not require authentication, which allows remote attackers to (1) execute commands via the command-line interface in the TCP listener service or (2) transfer files via requests to the TCP listener service. CoDeSys is a PLC software programming tool that supports IEC61131-3 standard IL, ST, FBD, LD, CFC, SFC six PLC programming languages. CoDeSys has an Access Verification Bypass vulnerability that allows an attacker to exploit an exploit for unauthorized access or to perform unauthorized configuration changes, including arbitrary code execution. The CoDeSys Runtime Toolkit does not require user authentication when connecting devices, allowing an attacker to gain administrator privileges on the device and thereby control the application device. The WAGO IPC 758-870 is prone to a security-bypass vulnerability caused by a hard-coded password. CoDeSys is prone to a security-bypass vulnerability that may allow attackers to perform actions without proper authentication. \nSuccessfully exploiting this issue may also result in arbitrary code-execution. 3S-Smart Software Solutions CoDeSys is a set of PLC (Programmable Logic Controller) software programming tools from 3S-Smart Software Solutions in Germany. Runtime Toolkit is the runtime toolkit of CoDeSys. ----------------------------------------------------------------------\n\nThe final version of the CSI 6.0 has been released. \nFind out why this is not just another Patch Management solution: http://secunia.com/blog/325/\n\n----------------------------------------------------------------------\n\nTITLE:\nCoDeSys Authentication Bypass and Directory Traversal Vulnerabilities\n\nSECUNIA ADVISORY ID:\nSA51847\n\nVERIFY ADVISORY:\nSecunia.com\nhttp://secunia.com/advisories/51847/\nCustomer Area (Credentials Required)\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=51847\n\nRELEASE DATE:\n2013-01-14\n\nDISCUSS ADVISORY:\nhttp://secunia.com/advisories/51847/#comments\n\nAVAILABLE ON SITE AND IN CUSTOMER AREA:\n * Last Update\n * Popularity\n * Comments\n * Criticality Level\n * Impact\n * Where\n * Solution Status\n * Operating System / Software\n * CVE Reference(s)\n\nhttp://secunia.com/advisories/51847/\n\nONLY AVAILABLE IN CUSTOMER AREA:\n * Authentication Level\n * Report Reliability\n * Secunia PoC\n * Secunia Analysis\n * Systems Affected\n * Approve Distribution\n * Remediation Status\n * Secunia CVSS Score\n * CVSS\n\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=51847\n\nONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:\n * AUTOMATED SCANNING\n\nhttp://secunia.com/vulnerability_scanning/personal/\nhttp://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/\n\nDESCRIPTION:\nDigital Bond has reported two vulnerabilities in CoDeSys, which can\nbe exploited by malicious people to bypass certain security\nrestrictions and compromise a vulnerable system. \n\n1) An error within the authentication mechanism does not properly\nrestrict access to the device and can be exploited to perform certain\nadministrative tasks. \n\n2) Certain input passed to the file transfer functionality is not\nproperly verified before being used to access files. This can be\nexploited to read, delete, or upload arbitrary files via directory\ntraversal sequences. \n\nThe vulnerabilities are reported in versions 2.3.x and 2.4.x. \n\nSOLUTION:\nApply patches (please contact the vendor for more information). \n\nPROVIDED AND/OR DISCOVERED BY:\nReid Wightman, Digital Bond. \n\nORIGINAL ADVISORY:\nICS-CERT (ICSA-13-011-01):\nhttp://www.us-cert.gov/control_systems/pdf/ICSA-13-011-01.pdf\n\nCoDeSys:\nhttp://www.codesys.com/news-events/press-releases/detail/article/sicherheitsluecke-in-codesys-v23-laufzeitsystem.html\n\nOTHER REFERENCES:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nDEEP LINKS:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nEXTENDED DESCRIPTION:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nEXTENDED SOLUTION:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nEXPLOIT:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\nprivate users keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n. \nSEC Consult Vulnerability Lab Security Advisory \u003c 20171130-0 \u003e\n=======================================================================\n              title: Critical CODESYS vulnerabilities\n            product: WAGO PFC 200 Series, see \"Vulnerable / tested versions\"\n vulnerable version: plclinux_rt 2.4.7.0, see \"Vulnerable / tested versions\"\n      fixed version: PFC200 FW11\n         CVE number: -\n             impact: critical\n           homepage: https://www.codesys.com\n              found: 2017-07-28\n                 by: T. Weber (Office Vienna)\n                     SEC Consult Vulnerability Lab\n\n                     An integrated part of SEC Consult\n                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow\n                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich\n\n                     https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\"The WAGO-I/O-SYSTEM is a flexible fieldbus-independent solution for\ndecentralized automation tasks. With the relay, function and interface\nmodules, as well as overvoltage protection, WAGO provides a suitable interface\nfor any application.\"\n\nSource: http://global.wago.com/en/products/product-catalog/\n        components-automation/overview/index.jsp\n\n\"The PFC family of controllers offers advanced compact, computing power for PLC\nprogramming and process visualization. Programmable in accordance with IEC 61131-3\n600, PFC controllers feature a 600 MHz ARM Cortex A8 processor that offers high\nspeed processing and support of 64 bit variables.\"\n\nSource:\nhttp://www.wago.us/products/components-for-automation/modular-io-system-series-750-753/programmable-fieldbus-controller/pfc200/index.jsp\n\n\n\nBusiness recommendation:\n------------------------\nBecause of the use in industrial and safety-critical environments the patch has\nto be applied as soon as it is available. We explicitly point out to all users\nin this sector that this device series in the mentioned device series with\nfirmware 02.07.07(10) should not be connected directly to the internet (or even\nact as gateway) since it is very likely that an attacker can compromise the\nwhole network via such an device. \n\nSEC Consult recommends not to use this product in a production environment\nuntil a thorough security review has been performed by security professionals. \n\n\nVulnerability overview/description:\n-----------------------------------\nThe \"plclinux_rt\" service accepts different unauthenticated actions. \n\nThis vulnerability contains the architectural security problems described by\nReid Wightman. The SDK of \"plclinux_rt\" is written by the same vendor (3S). \nTherefore, the file commands of \"Digital Bond\u0027s 3S CODESYS Tools\", created\naround 2012 are applicable. \n(See https://ics-cert.us-cert.gov/advisories/ICSA-13-011-01)\n\nThe CODESYS command-line is protected with login credentials, that\u0027s why the\nshell of the mentioned tools does not provide root access out of the box. But\nafter some investigation it was clear that there are further functions which\nare reachable without using the command-line and without any authentication. \n\nThese functions in \"plclinux_rt\" can be triggered by sending the correct\nTCP payload on the bound port (by default 2455). \n\nSome of the triggerable functions are:\n* Arbitrary file read/write/delete (also covered by \"Digital Bond\u0027s Tools\")\n* Step over a function in the currently executed PLC program\n* Cycle step any function in the currently executed PLC program\n* Delete the current variable list of the currently executed PLC program\n* And more functions... \n\nSince SSH is activated by default, an unauthenticated attacker can rewrite\n\"/etc/shadow\" and gain root privileges easily via these attack vectors!\n\n\n1) Critical Improper Authentication / Design Issue\nFiles can be fetched, written and deleted. Running tasks on the PLC can be\nrestarted, stepped and crashed. \n\nAn attacker can therefore replace the password hash in the shadow file. A\nmemory corruption (and potential reverse-shell) is also possible via arbitrary\nTCP packets. \n\nThere are potentially more commands which can be triggered, but this was not\ncovered by the short security crash test. \n\n\nProof of concept:\n-----------------\nAs there is no patch available yet, the detailed proof of concept information has\nbeen removed from this advisory. \n\n1) Critical Improper Authentication / Design Issue\nTwo payloads are specified here as proof of concept for file manipulation. \nFour payloads for live program manipulation are also listed. \n\nFile read and delete without any authentication. \n\nRead \"/etc/shadow\":\necho \u0027[PoC removed]\u0027 | xxd -r -p | nc \u003cPLC-IP\u003e \u003cPort\u003e\n\nDelete \"/etc/test\":\necho \u0027[PoC removed]\u0027 | xxd -r -p | nc \u003cPLC-IP\u003e \u003cPort\u003e\n\nRunnning PLC tasks could be modified with the following payloads:\n\nStep over function:\necho \u0027[PoC removed]\u0027 | xxd -r -p | nc \u003cPLC-IP\u003e \u003cPort\u003e\n\nCycle step function:\necho \u0027[PoC removed]\u0027 | xxd -r -p | nc \u003cPLC-IP\u003e \u003cPort\u003e\n\nDelete variable list (produces stack-trace / denial of service):\necho \u0027[PoC removed]\u0027 | xxd -r -p | nc \u003cPLC-IP\u003e \u003cPort\u003e\n\nThe actual function is chosen by the 7th byte in the latter payloads. E.g.:\n0x31 -\u003e read file\n0x36 -\u003e delete file\n0x0a -\u003e step over\n0x24 -\u003e cycle step\n0x15 -\u003e delete variable list\n\nThere are much more functions hidden in the \"plclinux_rt\" binary. This\nis just an excerpt of a few available functions. \n\nThese functions can be examined from \"SrvComputeService\". Two pseudo code\nsnippets generated by IDA Pro shows some examples (the functionality can be\nquickly determined from the corresponding debug message):\n[PoC removed from this advisory]\n\n\nVulnerable / tested versions:\n-----------------------------\nWAGO PFC200 Series / Firmware 02.07.07(10)\n(17 affected devices)\n750-8202\n750-8202/025-000\n750-8202/025-001\n750-8202/025-002\n750-8202/040-001\n750-8203\n750-8203/025-000\n750-8204\n750-8204/025-000\n750-8206\n750-8206/025-000\n750-8206/025-001\n750-8207\n750-8207/025-000\n750-8207/025-001\n750-8208\n750-8208/025-000\n\nThe WAGO contact stated during a call that all PLCs of the 750-88X Series are not\nvulnerable due to a custom fix from WAGO. The contact also stated that the PLCs\nof the 750-810X (PFC100) series are also not vulnerable because they have\nCODESYS 3.5 deployed. \n\nDevices of any other vendor which use the CODESYS 2.3.X/2.4.X runtime are\npotentially prone to the same vulnerability. \n\n\nVendor contact timeline:\n------------------------\n2017-08-02: Contacting vendor through info@wago.com and set the\n            publication date to 2017-09-21. \n2017-08-09: Sending a reminder to info@wago.com\n2017-08-16: Found a dedicated security contact of WAGO. Contacting\n            this employee via e-mail. \n2017-08-17: Contact responds that he will read the redirected e-mail\n            from info@wago.com. Sending e-mail to contact that the\n            message sent to info@wago.com does not contain the actual\n            advisory and that an encrypted channel should be used for\n            transmission. \n2017-08-22: Sending reminder to contact and re-transmitting the\n            responsible disclosure policy and all possible ways\n            to transmit the advisory. \n2017-08-29: Uploading advisory to WAGO ShareFile. \n2017-09-15: Telephone call with WAGO contact. Discussion about the\n            vulnerability. Fix will be available in the next firmware\n            version. Vendor clarified that series 750-88X is not prone\n            to the reported vulnerability. Set the publication date to\n            2017-09-28. \n2017-09-26: Telephone call with vendor. Vendor is working on a fix of\n            the vulnerabilities. Set the publication date to 2017-10-12. \n2017-10-06: Sending a reminder to the vendor; No answer. \n2017-10-11: Sending a reminder to the vendor. Vendor states that they\n            are working on an update and a timeline for the fix will\n            be provided on 2017-10-13. \n2017-10-13: Asked for an update; No answer. \n2017-10-17: Informing the vendor that the publication date was set to\n            2017-10-23. \n2017-10-19: Vendor responds that vulnerability in PFC200 series will be\n            patched in firmware version FW12. Set publication date to\n            2017-10-27 and asked the vendor for a time-line regarding\n            the PFC100 series. \n2017-10-20: Vendor responds that PFC100 series is not vulnerable since\n            it does not contain CODESYS 2.4 run-time. Vendor corrected\n            the firmware to version FW11. The patch will be available\n            in January 2018. \n2017-10-30: Informed vendor that the advisory will be published on\n            2017-11-30. \n2017-11-30: Advisory release\n\n\nSolution:\n---------\nUpdate your WAGO PFC200 Series to firmware version FW11 as soon as it is\navailable. In the meantime, see the workaround section. \n\n\nWorkaround:\n-----------\nDelete \"plclinux_rt\" or close the programming port (2455). \nNetwork access to the device should be restricted. \n\n\nAdvisory URL:\n-------------\nhttps://www.sec-consult.com/en/vulnerability-lab/advisories/index.html\n\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSEC Consult Vulnerability Lab\n\nSEC Consult\nBangkok - Berlin - Linz - Luxembourg - Montreal - Moscow\nKuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich\n\nAbout SEC Consult Vulnerability Lab\nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It\nensures the continued knowledge gain of SEC Consult in the field of network\nand application security to stay ahead of the attacker. The SEC Consult\nVulnerability Lab supports high-quality penetration testing and the evaluation\nof new offensive and defensive technologies for our customers. Hence our\ncustomers obtain the most current information about vulnerabilities and valid\nrecommendation about the risk profile of new technologies. \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nInterested to work with the experts of SEC Consult?\nSend us your application https://www.sec-consult.com/en/career/index.html\n\nInterested in improving your cyber security with the experts of SEC Consult?\nContact our local offices https://www.sec-consult.com/en/contact/index.html\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nMail: research at sec-consult dot com\nWeb: https://www.sec-consult.com\nBlog: http://blog.sec-consult.com\nTwitter: https://twitter.com/sec_consult\n\nEOF T. Weber / @2017\n\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2012-6068"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-001224"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2012-1827"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2013-00303"
      },
      {
        "db": "BID",
        "id": "52940"
      },
      {
        "db": "BID",
        "id": "52942"
      },
      {
        "db": "IVD",
        "id": "21283762-2353-11e6-abef-000c29c66e3d"
      },
      {
        "db": "IVD",
        "id": "95311fba-1f6c-11e6-abef-000c29c66e3d"
      },
      {
        "db": "VULHUB",
        "id": "VHN-59349"
      },
      {
        "db": "PACKETSTORM",
        "id": "119510"
      },
      {
        "db": "PACKETSTORM",
        "id": "145197"
      }
    ],
    "trust": 3.87
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2012-6068",
        "trust": 3.8
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-13-011-01",
        "trust": 3.0
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-14-084-01",
        "trust": 2.2
      },
      {
        "db": "ICS CERT ALERT",
        "id": "ICS-ALERT-12-097-01",
        "trust": 1.2
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201204-108",
        "trust": 1.1
      },
      {
        "db": "BID",
        "id": "52942",
        "trust": 1.0
      },
      {
        "db": "BID",
        "id": "52940",
        "trust": 0.9
      },
      {
        "db": "CNVD",
        "id": "CNVD-2013-00303",
        "trust": 0.8
      },
      {
        "db": "CNVD",
        "id": "CNVD-2012-1827",
        "trust": 0.8
      },
      {
        "db": "SECUNIA",
        "id": "51847",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-001224",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201210-641",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2020.3314",
        "trust": 0.6
      },
      {
        "db": "ICS CERT ALERT",
        "id": "ICS-ALERT-12-097-02",
        "trust": 0.3
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-12-249-02",
        "trust": 0.3
      },
      {
        "db": "IVD",
        "id": "21283762-2353-11E6-ABEF-000C29C66E3D",
        "trust": 0.2
      },
      {
        "db": "IVD",
        "id": "95311FBA-1F6C-11E6-ABEF-000C29C66E3D",
        "trust": 0.2
      },
      {
        "db": "VULHUB",
        "id": "VHN-59349",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "119510",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "145197",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "21283762-2353-11e6-abef-000c29c66e3d"
      },
      {
        "db": "IVD",
        "id": "95311fba-1f6c-11e6-abef-000c29c66e3d"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2012-1827"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2013-00303"
      },
      {
        "db": "VULHUB",
        "id": "VHN-59349"
      },
      {
        "db": "BID",
        "id": "52940"
      },
      {
        "db": "BID",
        "id": "52942"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-001224"
      },
      {
        "db": "PACKETSTORM",
        "id": "119510"
      },
      {
        "db": "PACKETSTORM",
        "id": "145197"
      },
      {
        "db": "NVD",
        "id": "CVE-2012-6068"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201210-641"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201204-108"
      }
    ]
  },
  "id": "VAR-201301-0110",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "IVD",
        "id": "21283762-2353-11e6-abef-000c29c66e3d"
      },
      {
        "db": "IVD",
        "id": "95311fba-1f6c-11e6-abef-000c29c66e3d"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2012-1827"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2013-00303"
      },
      {
        "db": "VULHUB",
        "id": "VHN-59349"
      }
    ],
    "trust": 2.2795454399999997
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 1.6
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "21283762-2353-11e6-abef-000c29c66e3d"
      },
      {
        "db": "IVD",
        "id": "95311fba-1f6c-11e6-abef-000c29c66e3d"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2012-1827"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2013-00303"
      }
    ]
  },
  "last_update_date": "2023-12-18T13:03:36.719000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Security Vulnerability in CODESYS V2.3 Runtime System",
        "trust": 0.8,
        "url": "http://www.codesys.com/news-events/press-releases/detail/article/sicherheitsluecke-in-codesys-v23-laufzeitsystem.html"
      },
      {
        "title": "CoDeSys verifies patches that bypass the vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/29232"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2013-00303"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-001224"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-264",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-59349"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-001224"
      },
      {
        "db": "NVD",
        "id": "CVE-2012-6068"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.3,
        "url": "http://www.us-cert.gov/control_systems/pdf/icsa-13-011-01.pdf"
      },
      {
        "trust": 2.2,
        "url": "http://ics-cert.us-cert.gov/advisories/icsa-14-084-01"
      },
      {
        "trust": 1.2,
        "url": "http://www.codesys.com/news-events/press-releases/detail/article/sicherheitsluecke-in-codesys-v23-laufzeitsystem.html"
      },
      {
        "trust": 1.1,
        "url": "http://www.digitalbond.com/tools/basecamp/3s-codesys/"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-6068"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-6068"
      },
      {
        "trust": 0.7,
        "url": "http://secunia.com/advisories/51847/"
      },
      {
        "trust": 0.6,
        "url": "http://www.us-cert.gov/control_systems/pdf/ics-alert-12-097-01.pdfhttp"
      },
      {
        "trust": 0.6,
        "url": "http://www.us-cert.gov/control_systems/pdf/ics-alert-12-097-01.pdf"
      },
      {
        "trust": 0.6,
        "url": "http://www.securityfocus.com/bid/52940"
      },
      {
        "trust": 0.6,
        "url": "https://us-cert.cisa.gov/ics/advisories/icsa-13-011-01"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2020.3314/"
      },
      {
        "trust": 0.3,
        "url": " http://www.wago.com/"
      },
      {
        "trust": 0.3,
        "url": "http://www.3s-software.com/"
      },
      {
        "trust": 0.3,
        "url": "http://www.us-cert.gov/control_systems/pdf/ics-alert-12-097-02.pdf"
      },
      {
        "trust": 0.3,
        "url": "http://www.us-cert.gov/control_systems/pdf/icsa-12-249-02.pdf"
      },
      {
        "trust": 0.1,
        "url": "https://ca.secunia.com/?page=viewadvisory\u0026vuln_id=51847"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/vulnerability_intelligence/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/secunia_security_advisories/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/51847/#comments"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/vulnerability_scanning/personal/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/blog/325/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/about_secunia_advisories/"
      },
      {
        "trust": 0.1,
        "url": "https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html"
      },
      {
        "trust": 0.1,
        "url": "http://www.wago.us/products/components-for-automation/modular-io-system-series-750-753/programmable-fieldbus-controller/pfc200/index.jsp"
      },
      {
        "trust": 0.1,
        "url": "https://www.codesys.com"
      },
      {
        "trust": 0.1,
        "url": "https://www.sec-consult.com"
      },
      {
        "trust": 0.1,
        "url": "http://global.wago.com/en/products/product-catalog/"
      },
      {
        "trust": 0.1,
        "url": "https://ics-cert.us-cert.gov/advisories/icsa-13-011-01)"
      },
      {
        "trust": 0.1,
        "url": "https://twitter.com/sec_consult"
      },
      {
        "trust": 0.1,
        "url": "https://www.sec-consult.com/en/contact/index.html"
      },
      {
        "trust": 0.1,
        "url": "http://blog.sec-consult.com"
      },
      {
        "trust": 0.1,
        "url": "https://www.sec-consult.com/en/career/index.html"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2012-1827"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2013-00303"
      },
      {
        "db": "VULHUB",
        "id": "VHN-59349"
      },
      {
        "db": "BID",
        "id": "52940"
      },
      {
        "db": "BID",
        "id": "52942"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-001224"
      },
      {
        "db": "PACKETSTORM",
        "id": "119510"
      },
      {
        "db": "PACKETSTORM",
        "id": "145197"
      },
      {
        "db": "NVD",
        "id": "CVE-2012-6068"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201210-641"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201204-108"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "IVD",
        "id": "21283762-2353-11e6-abef-000c29c66e3d"
      },
      {
        "db": "IVD",
        "id": "95311fba-1f6c-11e6-abef-000c29c66e3d"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2012-1827"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2013-00303"
      },
      {
        "db": "VULHUB",
        "id": "VHN-59349"
      },
      {
        "db": "BID",
        "id": "52940"
      },
      {
        "db": "BID",
        "id": "52942"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-001224"
      },
      {
        "db": "PACKETSTORM",
        "id": "119510"
      },
      {
        "db": "PACKETSTORM",
        "id": "145197"
      },
      {
        "db": "NVD",
        "id": "CVE-2012-6068"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201210-641"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201204-108"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2013-01-17T00:00:00",
        "db": "IVD",
        "id": "21283762-2353-11e6-abef-000c29c66e3d"
      },
      {
        "date": "2012-04-11T00:00:00",
        "db": "IVD",
        "id": "95311fba-1f6c-11e6-abef-000c29c66e3d"
      },
      {
        "date": "2012-04-11T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2012-1827"
      },
      {
        "date": "2013-01-17T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2013-00303"
      },
      {
        "date": "2013-01-21T00:00:00",
        "db": "VULHUB",
        "id": "VHN-59349"
      },
      {
        "date": "2012-04-06T00:00:00",
        "db": "BID",
        "id": "52940"
      },
      {
        "date": "2012-04-06T00:00:00",
        "db": "BID",
        "id": "52942"
      },
      {
        "date": "2013-01-23T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2013-001224"
      },
      {
        "date": "2013-01-14T06:29:51",
        "db": "PACKETSTORM",
        "id": "119510"
      },
      {
        "date": "2017-12-04T00:42:06",
        "db": "PACKETSTORM",
        "id": "145197"
      },
      {
        "date": "2013-01-21T21:55:01.103000",
        "db": "NVD",
        "id": "CVE-2012-6068"
      },
      {
        "date": "2012-04-06T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201210-641"
      },
      {
        "date": "2012-04-11T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201204-108"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2012-04-11T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2012-1827"
      },
      {
        "date": "2013-01-17T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2013-00303"
      },
      {
        "date": "2014-05-05T00:00:00",
        "db": "VULHUB",
        "id": "VHN-59349"
      },
      {
        "date": "2012-04-06T00:00:00",
        "db": "BID",
        "id": "52940"
      },
      {
        "date": "2015-03-19T08:38:00",
        "db": "BID",
        "id": "52942"
      },
      {
        "date": "2014-05-13T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2013-001224"
      },
      {
        "date": "2014-05-05T05:16:54.280000",
        "db": "NVD",
        "id": "CVE-2012-6068"
      },
      {
        "date": "2012-10-29T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201210-641"
      },
      {
        "date": "2020-10-22T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201204-108"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201210-641"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201204-108"
      }
    ],
    "trust": 1.2
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "CoDeSys Access Security Bypass Vulnerability",
    "sources": [
      {
        "db": "IVD",
        "id": "95311fba-1f6c-11e6-abef-000c29c66e3d"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2012-1827"
      },
      {
        "db": "BID",
        "id": "52942"
      }
    ],
    "trust": 1.1
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "permissions and access control issues",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201204-108"
      }
    ],
    "trust": 0.6
  }
}

GSD-2012-6068

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2012-6068

Aliases

CVE-2012-6068

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2012-6068",
    "description": "The Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x does not require authentication, which allows remote attackers to (1) execute commands via the command-line interface in the TCP listener service or (2) transfer files via requests to the TCP listener service.",
    "id": "GSD-2012-6068"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2012-6068"
      ],
      "details": "The Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x does not require authentication, which allows remote attackers to (1) execute commands via the command-line interface in the TCP listener service or (2) transfer files via requests to the TCP listener service.",
      "id": "GSD-2012-6068",
      "modified": "2023-12-13T01:20:17.608370Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "ID": "CVE-2012-6068",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x does not require authentication, which allows remote attackers to (1) execute commands via the command-line interface in the TCP listener service or (2) transfer files via requests to the TCP listener service."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://www.codesys.com/news-events/press-releases/detail/article/sicherheitsluecke-in-codesys-v23-laufzeitsystem.html",
            "refsource": "CONFIRM",
            "url": "http://www.codesys.com/news-events/press-releases/detail/article/sicherheitsluecke-in-codesys-v23-laufzeitsystem.html"
          },
          {
            "name": "http://ics-cert.us-cert.gov/advisories/ICSA-14-084-01",
            "refsource": "MISC",
            "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-084-01"
          },
          {
            "name": "http://www.digitalbond.com/tools/basecamp/3s-codesys/",
            "refsource": "MISC",
            "url": "http://www.digitalbond.com/tools/basecamp/3s-codesys/"
          },
          {
            "name": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-01.pdf",
            "refsource": "MISC",
            "url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-01.pdf"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:3s-software:codesys_runtime_system:2.3.9.37:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:3s-software:codesys_runtime_system:2.3.9.35:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:3s-software:codesys_runtime_system:2.3.9.8:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:3s-software:codesys_runtime_system:2.3.9.36:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:3s-software:codesys_runtime_system:2.4.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2012-6068"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x does not require authentication, which allows remote attackers to (1) execute commands via the command-line interface in the TCP listener service or (2) transfer files via requests to the TCP listener service."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-264"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.digitalbond.com/tools/basecamp/3s-codesys/",
              "refsource": "MISC",
              "tags": [],
              "url": "http://www.digitalbond.com/tools/basecamp/3s-codesys/"
            },
            {
              "name": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-01.pdf",
              "refsource": "MISC",
              "tags": [
                "US Government Resource"
              ],
              "url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-01.pdf"
            },
            {
              "name": "http://www.codesys.com/news-events/press-releases/detail/article/sicherheitsluecke-in-codesys-v23-laufzeitsystem.html",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://www.codesys.com/news-events/press-releases/detail/article/sicherheitsluecke-in-codesys-v23-laufzeitsystem.html"
            },
            {
              "name": "http://ics-cert.us-cert.gov/advisories/ICSA-14-084-01",
              "refsource": "MISC",
              "tags": [
                "US Government Resource"
              ],
              "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-084-01"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2014-05-05T05:16Z",
      "publishedDate": "2013-01-21T21:55Z"
    }
  }
}

FKIE_CVE-2012-6068

Vulnerability from fkie_nvd - Published: 2013-01-21 21:55 - Updated: 2025-07-02 20:15

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
ics-cert@hq.dhs.gov	http://www.codesys.com/news-events/press-releases/detail/article/sicherheitsluecke-in-codesys-v23-laufzeitsystem.html	Vendor Advisory
ics-cert@hq.dhs.gov	http://www.digitalbond.com/tools/basecamp/3s-codesys/
ics-cert@hq.dhs.gov	https://us.codesys.com/ecosystem/security/
ics-cert@hq.dhs.gov	https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-01
ics-cert@hq.dhs.gov	https://www.cisa.gov/news-events/ics-advisories/icsa-14-084-01
af854a3a-2127-422b-91ae-364da2661108	http://ics-cert.us-cert.gov/advisories/ICSA-14-084-01	US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://www.codesys.com/news-events/press-releases/detail/article/sicherheitsluecke-in-codesys-v23-laufzeitsystem.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.digitalbond.com/tools/basecamp/3s-codesys/
af854a3a-2127-422b-91ae-364da2661108	http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-01.pdf	US Government Resource

Impacted products

Vendor	Product	Version
3s-software	codesys_runtime_system	2.3.9.8
3s-software	codesys_runtime_system	2.3.9.35
3s-software	codesys_runtime_system	2.3.9.36
3s-software	codesys_runtime_system	2.3.9.37
3s-software	codesys_runtime_system	2.4.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:3s-software:codesys_runtime_system:2.3.9.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "CFAB8128-4A70-44CA-A4D3-C859010C8BFF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:3s-software:codesys_runtime_system:2.3.9.35:*:*:*:*:*:*:*",
              "matchCriteriaId": "0B99BA40-647D-4203-A003-CAEEF776EF77",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:3s-software:codesys_runtime_system:2.3.9.36:*:*:*:*:*:*:*",
              "matchCriteriaId": "50443443-14B4-4245-BBE3-C5E451739EF0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:3s-software:codesys_runtime_system:2.3.9.37:*:*:*:*:*:*:*",
              "matchCriteriaId": "44C690B5-EE5B-4504-B40D-879F757C8029",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:3s-software:codesys_runtime_system:2.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "89253C44-34F0-457C-9EEE-E7028F737E02",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x does not require authentication, which allows remote attackers to execute commands via the command-line interface in the TCP listener service or transfer files via requests to the TCP listener service."
    },
    {
      "lang": "es",
      "value": "El Runtime Toolkit de CODESYS Runtime System v2.3.x y v2.4.x no requiere autenticaci\u00f3n, lo que permite a atacantes remotos (1) ejecutar comandos a trav\u00e9s de la interfaz de l\u00ednea de comandos del servicio de escucha de TCP o (2) transferir archivos a trav\u00e9s de una petici\u00f3n al servicio de escucha TCP"
    }
  ],
  "id": "CVE-2012-6068",
  "lastModified": "2025-07-02T20:15:28.747",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 10.0,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "ics-cert@hq.dhs.gov",
        "type": "Secondary"
      }
    ]
  },
  "published": "2013-01-21T21:55:01.103",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.codesys.com/news-events/press-releases/detail/article/sicherheitsluecke-in-codesys-v23-laufzeitsystem.html"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "url": "http://www.digitalbond.com/tools/basecamp/3s-codesys/"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "url": "https://us.codesys.com/ecosystem/security/"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-01"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-084-01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-084-01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.codesys.com/news-events/press-releases/detail/article/sicherheitsluecke-in-codesys-v23-laufzeitsystem.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.digitalbond.com/tools/basecamp/3s-codesys/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-01.pdf"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-264"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2012-6068 (GCVE-0-2012-6068)

GHSA-HH9J-6V4H-23Q7

ICSA-14-084-01

VAR-201301-0110

Vendor description:

Business recommendation:

Vulnerability overview/description:

Proof of concept:

Vulnerable / tested versions:

Vendor contact timeline:

Solution:

Workaround:

Advisory URL:

GSD-2012-6068

FKIE_CVE-2012-6068

Tags

Sightings

Nomenclature