VDE-2024-046

Vulnerability from csaf_codesysgmbh - Published: 2024-09-10 14:00 - Updated: 2024-09-10 14:00
Summary
OSCAT: Out-of-bounds read in OSCAT Basic library
Notes
Summary: The OSCAT Basic library is one of several libraries developed and provided by OSCAT. OSCAT (oscat.de) stands for "Open Source Community for Automation Technology". The OSCAT Basic library offers function blocks for various tasks, e.g. for buffer management, list processing, control technology, mathematics, string processing, time and date conversion. By adding the OSCAT Basic library into IEC 61131-3-compliant programming tools, PLC programmers can use all the functions provided by the library in their control programs. Within the library, the MONTH_TO_STRING function is affected by an out-of-bounds read vulnerability. Exploitation of the vulnerability may lead to limited access to internal data or possibly to a crash of the PLC.
Impact: The OSCAT Basic library, which is developed and provided by OSCAT, the "Open Source Community for Automation Technology", as an extension to the IEC 61131-3-based programming tools, offers functions for a wide range of programming tasks. As part of the date and time processing functions, the library offers a function called MONTH_TO_STRING for converting months into various selectable string representations. The MONTH_TO_STRING function of the OSCAT Basic library does not completely check the valid ranges of the passed values. This poses a vulnerability for the programmed PLC if values are passed to the MONTH_TO_STRING function that are fed into the PLC program from outside. An example could be a visualization in which integer values can be entered, which are then passed directly from the PLC program without further range checking as parameters to the MONTH_TO_STRING function. By entering values outside the valid range, an attacker can perform out-of-bounds read accesses to read limited internal data from the PLC or possibly cause it to crash.
Mitigation: CODESYS GmbH recommends an update of the OSCAT Basic library to address the security vulnerability. Without an update, the vulnerability can be prevented by validating all values in the PLC program before they are passed to the affected function. In particular, negative values must be blocked as function parameters of MONTH_TO_STRING. Regardless of whether the OSCAT Basic library in the programming system was updated or the security vulnerability in the PLC program was mitigated, a download or online change must be performed to update the application on the PLC. And don't forget to rebuild/download the boot project.
Remediation: Update the OSCAT Basic library to version 3.3.5. The OSCAT Basic library version 3.3.5 is expected to be released in September 2024. To make the fix effective for existing CODESYS projects, you also must adjust the version of the OSCAT Basic library to be used in the Library Manager of the CODESYS project to version 3.3.5.0. Then you must update the CODESYS application on the PLC by download or online change and rebuild/download the boot application.
CVE-2024-6876
5.1 (Medium)
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
CWE-125 - Out-of-bounds Read
Mitigation CODESYS GmbH recommends an update of the OSCAT Basic library to address the security vulnerability. Without an update, the vulnerability can be prevented by validating all values in the PLC program before they are passed to the affected function. In particular, negative values must be blocked as function parameters of MONTH_TO_STRING. Regardless of whether the OSCAT Basic library in the programming system was updated or the security vulnerability in the PLC program was mitigated, a download or online change must be performed to update the application on the PLC. And don't forget to rebuild/download the boot project.
Vendor Fix Update the OSCAT Basic library to version 3.3.5. The OSCAT Basic library version 3.3.5 is expected to be released in September 2024. To make the fix effective for existing CODESYS projects, you also must adjust the version of the OSCAT Basic library to be used in the Library Manager of the CODESYS project to version 3.3.5.0. Then you must update the CODESYS application on the PLC by download or online change and rebuild/download the boot application.
References
Acknowledgments
CERTVDE certvde.com
Modern Microprocessors Architecture (MoMA) Lab Corban Villa Hithem Lamri Constantine Doumanidis Michail Maniatakos wp.nyu.edu/momalab/
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERTVDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "names": [
          "Corban Villa",
          "Hithem Lamri",
          "Constantine Doumanidis",
          "Michail Maniatakos"
        ],
        "organization": "Modern Microprocessors Architecture (MoMA) Lab",
        "summary": "reporting",
        "urls": [
          "https://wp.nyu.edu/momalab/"
        ]
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "The OSCAT Basic library is one of several libraries developed and provided by OSCAT. OSCAT (oscat.de) stands for \"Open Source Community for Automation Technology\".\n\nThe OSCAT Basic library offers function blocks for various tasks, e.g. for buffer management, list processing, control technology, mathematics, string processing, time and date conversion. By adding the OSCAT Basic library into IEC 61131-3-compliant programming tools, PLC programmers can use all the functions provided by the library in their control programs.\n\nWithin the library, the MONTH_TO_STRING function is affected by an out-of-bounds read vulnerability. Exploitation of the vulnerability may lead to limited access to internal data or possibly to a crash of the PLC.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "The OSCAT Basic library, which is developed and provided by OSCAT, the \"Open Source Community for Automation Technology\", as an extension to the IEC 61131-3-based programming tools, offers functions for a wide range of programming tasks. As part of the date and time processing functions, the library offers a function called MONTH_TO_STRING for converting months into various selectable string representations.\n\nThe MONTH_TO_STRING function of the OSCAT Basic library does not completely check the valid ranges of the passed values. This poses a vulnerability for the programmed PLC if values are passed to the MONTH_TO_STRING function that are fed into the PLC program from outside. An example could be a visualization in which integer values can be entered, which are then passed directly from the PLC program without further range checking as parameters to the MONTH_TO_STRING function. By entering values outside the valid range, an attacker can perform out-of-bounds read accesses to read limited internal data from the PLC or possibly cause it to crash.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "CODESYS GmbH recommends an update of the OSCAT Basic library to address the security vulnerability. Without an update, the vulnerability can be prevented by validating all values in the PLC program before they are passed to the affected function. In particular, negative values must be blocked as function parameters of MONTH_TO_STRING.\n\nRegardless of whether the OSCAT Basic library in the programming system was updated or the security vulnerability in the PLC program was mitigated, a download or online change must be performed to update the application on the PLC. And don\u0027t forget to rebuild/download the boot project.",
        "title": "Mitigation"
      },
      {
        "category": "description",
        "text": "Update the OSCAT Basic library to version 3.3.5.\n\nThe OSCAT Basic library version 3.3.5 is expected to be released in September 2024.\n\nTo make the fix effective for existing CODESYS projects, you also must adjust the version of the OSCAT Basic library to be used in the Library Manager of the CODESYS project to version 3.3.5.0. Then you must update the CODESYS application on the PLC by download or online change and rebuild/download the boot application.",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "security@codesys.com",
      "name": "CODESYS GmbH",
      "namespace": "https://www.codesys.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "VDE-2024-046: OSCAT: Out-of-bounds read in OSCAT Basic library - HTML",
        "url": "https://certvde.com/de/advisories/VDE-2024-046/"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for CODESYS GmbH",
        "url": "https://certvde.com/en/advisories/vendor/codesys/"
      },
      {
        "category": "self",
        "summary": "VDE-2024-046: OSCAT: Out-of-bounds read in OSCAT Basic library - CSAF",
        "url": "https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2024/vde-2024-046.json"
      }
    ],
    "title": "OSCAT: Out-of-bounds read in OSCAT Basic library",
    "tracking": {
      "aliases": [
        "VDE-2024-046"
      ],
      "current_release_date": "2024-09-10T14:00:00.000Z",
      "generator": {
        "date": "2025-05-05T08:11:27.031Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.24"
        }
      },
      "id": "VDE-2024-046",
      "initial_release_date": "2024-09-10T14:00:00.000Z",
      "revision_history": [
        {
          "date": "2024-09-10T14:00:00.000Z",
          "number": "1",
          "summary": "initial revision"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "oscat.de OSCAT Basic Library",
                "product": {
                  "name": "oscat.de OSCAT Basic Library",
                  "product_id": "CSAFPID-11001"
                }
              },
              {
                "category": "product_name",
                "name": "CODESYS OSCAT Basic Library",
                "product": {
                  "name": "CODESYS OSCAT Basic Library",
                  "product_id": "CSAFPID-11002"
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c3.3.5.0",
                "product": {
                  "name": "Firmware \u003c3.3.5.0",
                  "product_id": "CSAFPID-21001"
                }
              },
              {
                "category": "product_version",
                "name": "3.3.5.0",
                "product": {
                  "name": "Firmware 3.3.5.0",
                  "product_id": "CSAFPID-22001"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c335",
                "product": {
                  "name": "Firmware \u003c335",
                  "product_id": "CSAFPID-21002"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c3.3.5",
                "product": {
                  "name": "Firmware \u003c3.3.5",
                  "product_id": "CSAFPID-21003"
                }
              },
              {
                "category": "product_version",
                "name": "3.3.5",
                "product": {
                  "name": "Firmware 3.3.5",
                  "product_id": "CSAFPID-22002"
                }
              },
              {
                "category": "product_version",
                "name": "335",
                "product": {
                  "name": "Firmware 335",
                  "product_id": "CSAFPID-22003"
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          }
        ],
        "category": "vendor",
        "name": "CODESYS GmbH"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003"
        ],
        "summary": "affected products"
      },
      {
        "group_id": "CSAFGID-0002",
        "product_ids": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003"
        ],
        "summary": "fixed products"
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c3.3.5.0 installed on oscat.de OSCAT Basic Library",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 3.3.5.0 installed on oscat.de OSCAT Basic Library",
          "product_id": "CSAFPID-32001"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c335 installed on CODESYS OSCAT Basic Library",
          "product_id": "CSAFPID-31002"
        },
        "product_reference": "CSAFPID-21002",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c3.3.5 installed on CODESYS OSCAT Basic Library",
          "product_id": "CSAFPID-31003"
        },
        "product_reference": "CSAFPID-21003",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 3.3.5 installed on CODESYS OSCAT Basic Library",
          "product_id": "CSAFPID-32002"
        },
        "product_reference": "CSAFPID-22002",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 335 installed on CODESYS OSCAT Basic Library",
          "product_id": "CSAFPID-32003"
        },
        "product_reference": "CSAFPID-22003",
        "relates_to_product_reference": "CSAFPID-11002"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-6876",
      "cwe": {
        "id": "CWE-125",
        "name": "Out-of-bounds Read"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Out-of-Bounds read vulnerability in OSCAT Basic Library allows an local, unprivileged attacker to access limited internal data of the PLC which may lead to a crash of the affected service."
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "CODESYS GmbH recommends an update of the OSCAT Basic library to address the security vulnerability. Without an update, the vulnerability can be prevented by validating all values in the PLC program before they are passed to the affected function. In particular, negative values must be blocked as function parameters of MONTH_TO_STRING.\n\nRegardless of whether the OSCAT Basic library in the programming system was updated or the security vulnerability in the PLC program was mitigated, a download or online change must be performed to update the application on the PLC. And don\u0027t forget to rebuild/download the boot project.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update the OSCAT Basic library to version 3.3.5.\n\nThe OSCAT Basic library version 3.3.5 is expected to be released in September 2024.\n\nTo make the fix effective for existing CODESYS projects, you also must adjust the version of the OSCAT Basic library to be used in the Library Manager of the CODESYS project to version 3.3.5.0. Then you must update the CODESYS application on the PLC by download or online change and rebuild/download the boot application.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "environmentalScore": 5.1,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 5.1,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003"
          ]
        }
      ],
      "title": "CVE-2024-6876"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.