Over 70 CODESYS Vulnerabilities Reported in Festo Automation Suite, Multiple Critical

CISA reports a sweeping collection of security vulnerabilities affecting CODESYS software as bundled within the Festo Automation Suite. 

The advisory covers all versions of Festo Automation Suite prior to 2.8.0.138 installed with CODESYS Development System versions 3.0 and 3.5.16.10. 

The advisory lists over 70 individual CVEs, the most severe of which have been assigned critical CVSS scores of 9.8. The critical-severity vulnerabilities include:

• CVE-2018-10612 (CVSS score 9.8) — Improper Access Control in CODESYS Control V3 prior to 3.5.14.0; user management and encryption disabled by default, exposing credentials
• CVE-2019-13548 (CVSS score 9.8) — Stack-based Buffer Overflow in the CODESYS V3 web server; allows denial-of-service or remote code execution via crafted HTTP/HTTPS requests
• CVE-2019-18858 (CVSS score 9.8) — Classic Buffer Overflow in the CODESYS 3 web server prior to 3.5.15.20
• CVE-2019-9010 (CVSS score 9.8) — Improper Access Control; the CODESYS Gateway fails to verify communication channel ownership
• CVE-2020-10245 (CVSS score 9.8) — Buffer Overflow in the CODESYS V3 web server prior to 3.5.15.40
• CVE-2020-14509 (CVSS score 9.8) — Buffer Access with Incorrect Length Value in CodeMeter; crafted packets exploit unverified length fields
• CVE-2020-14517 (CVSS score 9.8) — Inadequate Encryption Strength in CodeMeter; allows remote API communication by breaking protocol encryption
• CVE-2021-30188 (CVSS score 9.8) — Stack-based Buffer Overflow in CODESYS V2 Runtime Toolkit prior to V2.4.7.55
• CVE-2021-30190 (CVSS score 9.8) — Missing Authentication for Critical Function in CODESYS V2 Web-Server prior to 1.1.9.20
• CVE-2021-33485 (CVSS score 9.8) — Heap-based Buffer Overflow in CODESYS Control Runtime prior to 3.5.17.10
• CVE-2022-31806 (CVSS score 9.8) — Insecure Default Initialization; password protection not enabled by default in CODESYS V2 PLCWinNT
• CVE-2023-3935 (CVSS score 9.8) — Heap Buffer Overflow in Wibu CodeMeter Runtime up to version 7.60b; allows unauthenticated RCE and full host system access

Additional high-severity vulnerabilities (CVSS scores ranging from 7.1 to 8.8) include issues such as unsafe deserialization enabling arbitrary command execution (CVE-2021-21863 through CVE-2021-21869), cross-site scripting via manipulated library content (CVE-2019-13538), path traversal allowing file access outside restricted directories (CVE-2019-13532), credential transmission without encryption (CVE-2022-31805), and numerous stack- and heap-based out-of-bounds write conditions enabling remote code execution (CVE-2022-47379 through CVE-2022-47390, among others).

Festo has addressed the vulnerabilities by decoupling CODESYS from its Automation Suite beginning with version 2.8.0.138. 

Starting from that version, CODESYS is no longer bundled with the suite and must instead be downloaded and installed separately by the customer. The fixed version for all identified CVEs is CODESYS Development System 3.5.21.20, used as an external component alongside Festo Automation Suite 2.8.0.138. 

Organizations using affected versions are advised to download the latest patched CODESYS release directly from the official CODESYS website, apply Festo Automation Suite updates as released by Festo, and monitor CODESYS security advisories on an ongoing basis. CISA additionally recommends minimizing network exposure for control system devices, placing ICS environments behind firewalls isolated from business networks, and using VPNs for any required remote access.