Weekly Executive Summary for Week of April 14, 2017

Commonly Used IIOT and Industrial Control Framework Contains Critical Vulnerabilities

Devices using CODESYS WebServer v2.3 and prior are affected by critical vulnerabilities found in the software framework.  This framework is used in many Industrial Internet of Things (IIoT) and Industrial Control System (ICS) devices.  Almost all of the different critical industrial infrastructure sectors use these devices.  The vendor for CODESYS Webserver, 3S-Smart Software Solutions GmbH, has provided a directory that manufacturers who use CODESYS to program their devices.  It can be used to determine if the devices are affected by the vulnerabilities: CODESYS Device Directory.

One of the vulnerabilities allows an unauthorized user to upload arbitrary code to the CODESYS webserver.  This may allow for remote execution of the code as well.  The other is a stack-based buffer overflow vulnerability that may allow the malicious user to crash the application itself or to run arbitrary code.  Both of these vulnerabilities were assigned a CVSS v3 base score of 9.8, which deem them as critical.

3S-Smart Software Solutions GmbH has provided a patch, V.1.1.9.18, for these vulnerabilities.  Users will need to register for an account and download the files located at CODESYS Development System V2.3.  Other ways to minimize risk, suggested by ICS-CERT, is for users to minimize network exposure for control systems and remove internet accessibility, isolate control system networks and remote devices from the business network, and if remote access is necessary, ensure secure methods, such as Virtual Private Networks (VPNs) are being used.

Sources: Critical Vulnerabilities Discovered in Widely Used IIoT and Industrial Control Framework (CyberX), Advisory (ICSA-17-087-02) (ICS-CERT)

Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity. Mail us at: uhwocscc@hawaii.edu