SAE IT-systems
Im Gewerbegebiet Pesch 14 50767 Köln, Deutschland
0221 598080 0221 5980860 DE812996839 Dipl.-Ing Joachim Schuster

Security notifications

CODESYS ICSA-15-288-01

Employes from Qualys Inc and Tenable Network Security, USA, detected a leak in the well known software CODESYS V2.3. We as well use CODESYS 2.3.9.38 in our IEC 61131-3 tool codeIT but our systems are not affected while using appropriate security settings.

Using a LAN connection to CODESYS server a leak allows a nullpointer exception, which causes the server to crash creating a denial of service. The program stops any control activities.

This leak is only affected by CODESYS applications, which are available in a Ethernet network such as Web visualisation by CODESYS-Web or any communication link performed by CODESYS using IEC 60870-5-104 from some of our competitors.

The codeIT runtime in series5 and series5+ RTUs is encapsulated. There is only one existing port to the programming system, which may be cut of or limited via firewall to single sockets. A hot system normaly uses a well checked  PLC application. Therefore there are more or less no reasons to leave this link open.

According to BDEW Whitepapers we recommend to use series5+ telecontrol systems and to close any unused entries via firewall.

Additional information to CODESYS leak

The bug officially was noticed by  ICSA-15-288-01 und ICSA-15-293-03. Additional information may be found here:

https://ics-cert.us-cert.gov/advisories/ICSA-15-288-01

https://ics-cert.us-cert.gov/advisories/ICSA-15-293-03

The manufacturer 3S-smart software solutions provided a patch with release 2.3.9.48 to close this leak. This release had to be withdrawn from market beacuse of major quality issues. The release of the follwing patch 2.3.9.49 will be announced in RSS-Feeds https://www.codesys.com/news-events/codesys-rss-feeds.html following CODESYS V2.3.

Picture credits:
© https://www.sae-it.de/https://www.poodletest.com/

Images

Kontakt

SAE IT-systems GmbH & Co. KG
Im Gewerbegebiet Pesch 14
50767 Cologne, Germany

Phone: +49 221 / 59 808-0
Fax: +49 221 / 59 808-60
E-Mail: info( at )sae-it.de

Hotline
Do you have technical problems?
Don't hesitate to contact us!

Phone: +49 221 / 59 808-55
E-Mail: service( at )sae-it.de

Contact Form

May we help you?
Do you have a question, like to get further information or just speak your mind?
*=mandatory

Repair application
If you want to report a faulty or damaged component, please use our repair application.

If you have questions, please contact our Repair and Service department: +49 221/59808-55

Top