Attackers can use software errors in control systems to attack power plants and bring them to a standstill. Critical infrastructures in Germany are also threatened by this. A security patch is available.
Security researchers from Microsoft warn of possible attacks in a report. In concrete terms, they discovered 15 vulnerabilities in the CODESYS V3 SDK with a “high” threat level. The SDK is used to create programmable logic controllers (PLCs) that are used in critical infrastructures, primarily in Europe.
Attackers can target the vulnerabilities for DoS attacks or even execute malicious code. If such attacks are successful, attackers can paralyze entire power plants, permanently nest in systems via a back door and withdraw information.
The vulnerabilities affect several CODESYS components such as CmpApp and CmpCodeMeter. There is no size check when passing tags with instructions to the PLC, so attackers can trigger memory corruption here.
For this to work, however, an attacker must be authenticated and have in-depth knowledge of the proprietary CODESYS V3 protocol. According to Microsoft, authentication is not a major hurdle because attackers can gain access to access data through another vulnerability (CVE-2023-9013).
The security researchers state that they forwarded the vulnerabilities to the SDK provider in September 2022. Version 184.108.40.206, which is protected against the attacks, is now available for download. The software manufacturer provides further information on the vulnerabilities in a security warning
The security researchers have compiled their knowledge of the vulnerabilities on a Github website. They also provide open source tools to detect attacks.
#security #gaps #threaten #critical #infrastructures #country