A critical flaw in a web server for the CODESYS automation software for engineering control systems could allow a remote, unauthenticated attacker to crash a server or execute code. The bug is rated 10 out of 10 on the CVSS v.2 vulnerability severity scale and requires little skill to exploit, the company said. It’s a heap-based buffer overflow – a class of vulnerability where the region of a process’ memory used to store dynamic variables (the heap) can be overwhelmed – and thus be made inaccessible to other processes. In this case, the bug (CVE-2020-10245) exists in the CODESYS web server, which is used to display CODESYS system visualization screens in a web browser. “This could crash the web server, lead to a denial-of-service condition or may be utilized for remote code execution,” according to the company’s advisory [PDF]. “As the web server is part of the CODESYS runtime system, this may result in unforeseen behavior of the complete runtime system.” CODESYS is a software suite used by automation specialists as a development environment for programming controller applications, often found in industrial environments, according to its website. Developed by the Germany-based company Smart Software Solutions (3S) to make the engineering of automated solutions more convenient, it’s a platform-independent development environment that is compatible with programmable logic controller (PLC) hardware and many other automation components available from hundreds of companies….
0 0 govanguard https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png govanguard2020-03-26 16:12:002020-03-26 16:12:00Critical CODESYS Bug Allows Remote Code Execution
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email email@example.com