VDE-2024-027

Vulnerability from csaf_codesysgmbh - Published: 2024-06-04 06:00 - Updated: 2025-05-14 13:00
Summary
CODESYS: Vulnerability in multiple products through exposure of resource to wrong sphere
Notes
Summary: All legitimate local Microsoft Windows users can read or modify files that are located in the working directory of the affected CODESYS products, even if they are executed under a different user or in the system context.
Impact: The CODESYS Development System is an IEC 61131-3 programming tool for the industrial controller and automation technology sector. The integrated runtime for simulating CODESYS projects as well as CODESYS Control Win V3, CODESYS HMI and the CODESYS (Edge) Gateway running under the Microsoft Windows operating system have their working directory under %ProgramData%\CODESYS\ by default. All legitimate local Microsoft Windows users can read or modify files in this working directory, even if the affected products are running under a different user or in the system context.
Mitigation: Only create required user accounts on the Microsoft Windows systems on which the affected software is installed. Users who do not need to use the affected software should not have access to these systems.
Remediation: Update the following products to version 3.5.20.10. CODESYS Control Win (SL) CODESYS Edge Gateway for Windows CODESYS Gateway for Windows CODESYS HMI (SL) CODESYS Development System V3 The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS download area. The working directories of the affected products are moved to "%APPDATA%\CODESYS\", which is usually located in C:\Users\<user>\AppData\CODESYS\ and can only be accessed by the respective user. If the PLC is started with the "CODESYS Control Win SysTray PLC Control", it runs in the Windows user account "LocalSystem" and therefore the effective working directory is "C:\Windows\system32\config\systemprofile\AppData\Roaming\CODESYS\" or C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\CODESYS\. An administrator account is required to access these folders.
CVE-2023-5751

A local attacker with low privileges can read and modify any users files and cause a DoS in the working directory of the affected products due to exposure of resource to wrong sphere.

7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-668 - Exposure of Resource to Wrong Sphere
Mitigation Only create required user accounts on the Microsoft Windows systems on which the affected software is installed. Users who do not need to use the affected software should not have access to these systems.
Vendor Fix Update the following products to version 3.5.20.10. CODESYS Control Win (SL) CODESYS Edge Gateway for Windows CODESYS Gateway for Windows CODESYS HMI (SL) CODESYS Development System V3 The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS download area. The working directories of the affected products are moved to "%APPDATA%\CODESYS\", which is usually located in C:\Users\<user>\AppData\CODESYS\ and can only be accessed by the respective user. If the PLC is started with the "CODESYS Control Win SysTray PLC Control", it runs in the Windows user account "LocalSystem" and therefore the effective working directory is "C:\Windows\system32\config\systemprofile\AppData\Roaming\CODESYS\" or C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\CODESYS\. An administrator account is required to access these folders.
References
Acknowledgments
CERT@VDE
joker63
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination"
      },
      {
        "names": [
          "joker63"
        ],
        "summary": "discovered"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "All legitimate local Microsoft Windows users can read or modify files that are located in the working directory of the affected CODESYS products, even if they are executed under a different user or in the system context.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "The CODESYS Development System is an IEC 61131-3 programming tool for the industrial controller and automation technology sector. The integrated runtime for simulating CODESYS projects as well as CODESYS Control Win V3, CODESYS HMI and the CODESYS (Edge) Gateway running under the Microsoft Windows operating system have their working directory under %ProgramData%\\CODESYS\\ by default. All legitimate local Microsoft Windows users can read or modify files in this working directory, even if the affected products are running under a different user or in the system context.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Only create required user accounts on the Microsoft Windows systems on which the affected software is installed. Users who do not need to use the affected software should not have access to these systems.",
        "title": "Mitigation"
      },
      {
        "category": "description",
        "text": "Update the following products to version 3.5.20.10.  \n  \nCODESYS Control Win (SL)  \nCODESYS Edge Gateway for Windows  \nCODESYS Gateway for Windows  \nCODESYS HMI (SL)  \nCODESYS Development System V3  \nThe CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS download area.  \n  \nThe working directories of the affected products are moved to \"%APPDATA%\\CODESYS\\\", which is usually located in C:\\Users\\\u003cuser\u003e\\AppData\\CODESYS\\ and can only be accessed by the respective user.  \n  \nIf the PLC is started with the \"CODESYS Control Win SysTray PLC Control\", it runs in the Windows user account \"LocalSystem\" and therefore the effective working directory is \"C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\CODESYS\\\" or C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\CODESYS\\. An administrator account is required to access these folders.",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "security@codesys.com",
      "name": "CODESYS GmbH",
      "namespace": "https://www.codesys.com"
    },
    "references": [
      {
        "category": "external",
        "summary": "CODESYS GmbH",
        "url": "https://codesys.com"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories",
        "url": "https://certvde.com/en/advisories/vendor/codesys/"
      },
      {
        "category": "self",
        "summary": "VDE-2024-027: CODESYS: Vulnerability in multiple products through exposure of resource to wrong sphere - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2024-027/"
      },
      {
        "category": "self",
        "summary": "VDE-2024-027: CODESYS: Vulnerability in multiple products through exposure of resource to wrong sphere - CSAF",
        "url": "https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2024/vde-2024-027.json"
      }
    ],
    "title": "CODESYS: Vulnerability in multiple products through exposure of resource to wrong sphere",
    "tracking": {
      "aliases": [
        "VDE-2024-027"
      ],
      "current_release_date": "2025-05-14T13:00:14.000Z",
      "generator": {
        "date": "2025-04-11T07:49:01.889Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.23"
        }
      },
      "id": "VDE-2024-027",
      "initial_release_date": "2024-06-04T06:00:00.000Z",
      "revision_history": [
        {
          "date": "2024-06-04T06:00:00.000Z",
          "number": "1",
          "summary": "initial revision"
        },
        {
          "date": "2025-04-11T07:00:00.000Z",
          "number": "2",
          "summary": "FIx: version range"
        },
        {
          "date": "2025-05-14T13:00:14.000Z",
          "number": "3",
          "summary": "Fix: added distribution"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "CODESYS Control Win",
                "product": {
                  "name": "CODESYS Control Win",
                  "product_id": "CSAFPID-11001"
                }
              },
              {
                "category": "product_name",
                "name": "CODESYS Development System V3",
                "product": {
                  "name": "CODESYS Development System V3",
                  "product_id": "CSAFPID-11002"
                }
              },
              {
                "category": "product_name",
                "name": "CODESYS Edge Gateway for Windows",
                "product": {
                  "name": "CODESYS Edge Gateway for Windows",
                  "product_id": "CSAFPID-11003"
                }
              },
              {
                "category": "product_name",
                "name": "CODESYS Gateway for Windows",
                "product": {
                  "name": "CODESYS Gateway for Windows",
                  "product_id": "CSAFPID-11004"
                }
              },
              {
                "category": "product_name",
                "name": "CODESYS HMI",
                "product": {
                  "name": "CODESYS HMI",
                  "product_id": "CSAFPID-11005"
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c3.5.20.10",
                "product": {
                  "name": "Firmware \u003c3.5.20.10",
                  "product_id": "CSAFPID-21001"
                }
              },
              {
                "category": "product_version",
                "name": "3.5.20.10",
                "product": {
                  "name": "Firmware 3.5.20.10",
                  "product_id": "CSAFPID-22001"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c3.5.20.10",
                "product": {
                  "name": "Firmware \u003c3.5.20.10",
                  "product_id": "CSAFPID-21002"
                }
              },
              {
                "category": "product_version",
                "name": "3.5.20.10",
                "product": {
                  "name": "Firmware 3.5.20.10",
                  "product_id": "CSAFPID-22002"
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          }
        ],
        "category": "vendor",
        "name": "CODESYS GmbH"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004",
          "CSAFPID-31005"
        ],
        "summary": "Affected Products"
      },
      {
        "group_id": "CSAFGID-0002",
        "product_ids": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003",
          "CSAFPID-32004",
          "CSAFPID-32005"
        ],
        "summary": "Fixed Products"
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c3.5.20.10 installed on CODESYS Control Win",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 3.5.20.10 installed on CODESYS Control Win",
          "product_id": "CSAFPID-32001"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c3.5.20.10 installed on CODESYS Development System V3",
          "product_id": "CSAFPID-31002"
        },
        "product_reference": "CSAFPID-21002",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 3.5.20.10 installed on CODESYS Development System V3",
          "product_id": "CSAFPID-32002"
        },
        "product_reference": "CSAFPID-22002",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c3.5.20.10 installed on CODESYS Edge Gateway for Windows",
          "product_id": "CSAFPID-31003"
        },
        "product_reference": "CSAFPID-21002",
        "relates_to_product_reference": "CSAFPID-11003"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 3.5.20.10 installed on CODESYS Edge Gateway for Windows",
          "product_id": "CSAFPID-32003"
        },
        "product_reference": "CSAFPID-22002",
        "relates_to_product_reference": "CSAFPID-11003"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c3.5.20.10 installed on CODESYS Gateway for Windows",
          "product_id": "CSAFPID-31004"
        },
        "product_reference": "CSAFPID-21002",
        "relates_to_product_reference": "CSAFPID-11004"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 3.5.20.10 installed on CODESYS Gateway for Windows",
          "product_id": "CSAFPID-32004"
        },
        "product_reference": "CSAFPID-22002",
        "relates_to_product_reference": "CSAFPID-11004"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c3.5.20.10 installed on CODESYS HMI",
          "product_id": "CSAFPID-31005"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11005"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 3.5.20.10 installed on CODESYS HMI",
          "product_id": "CSAFPID-32005"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11005"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-5751",
      "cwe": {
        "id": "CWE-668",
        "name": "Exposure of Resource to Wrong Sphere"
      },
      "notes": [
        {
          "audience": "all",
          "category": "description",
          "text": "A local attacker with low privileges can read and modify any users files and cause a DoS in the working directory of the affected products due to exposure of resource to wrong sphere. ",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003",
          "CSAFPID-32004",
          "CSAFPID-32005"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004",
          "CSAFPID-31005"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Only create required user accounts on the Microsoft Windows systems on which the affected software is installed. Users who do not need to use the affected software should not have access to these systems.\n\n",
          "group_ids": [
            "CSAFGID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update the following products to version 3.5.20.10.  \n  \nCODESYS Control Win (SL)  \nCODESYS Edge Gateway for Windows  \nCODESYS Gateway for Windows  \nCODESYS HMI (SL)  \nCODESYS Development System V3  \nThe CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS download area.  \n  \nThe working directories of the affected products are moved to \"%APPDATA%\\CODESYS\\\", which is usually located in C:\\Users\\\u003cuser\u003e\\AppData\\CODESYS\\ and can only be accessed by the respective user.  \n  \nIf the PLC is started with the \"CODESYS Control Win SysTray PLC Control\", it runs in the Windows user account \"LocalSystem\" and therefore the effective working directory is \"C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\CODESYS\\\" or C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\CODESYS\\. An administrator account is required to access these folders.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 7.8,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 7.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004",
            "CSAFPID-31005"
          ]
        }
      ],
      "title": "CVE-2023-5751"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.