Employes from Qualys Inc and Tenable Network Security, USA, detected a leak in the well known software CODESYS V2.3. We as well use CODESYS 184.108.40.206 in our IEC 61131-3 tool codeIT but our systems are not affected while using appropriate security settings.
Using a LAN connection to CODESYS server a leak allows a nullpointer exception, which causes the server to crash creating a denial of service. The program stops any control activities.
This leak is only affected by CODESYS applications, which are available in a Ethernet network such as Web visualisation by CODESYS-Web or any communication link performed by CODESYS using IEC 60870-5-104 from some of our competitors.
The codeIT runtime in series5 and series5+ RTUs is encapsulated. There is only one existing port to the programming system, which may be cut of or limited via firewall to single sockets. A hot system normaly uses a well checked PLC application. Therefore there are more or less no reasons to leave this link open.
According to BDEW Whitepapers we recommend to use series5+ telecontrol systems and to close any unused entries via firewall.
Additional information to CODESYS leak
The bug officially was noticed by ICSA-15-288-01 und ICSA-15-293-03. Additional information may be found here:
The manufacturer 3S-smart software solutions provided a patch with release 220.127.116.11 to close this leak. This release had to be withdrawn from market beacuse of major quality issues. The release of the follwing patch 18.104.22.168 will be announced in RSS-Feeds https://www.codesys.com/news-events/codesys-rss-feeds.html following CODESYS V2.3.