Microsoft reveals severe vulnerabilities in CODESYS industrial automation software

LAS VEGAS – Sixteen new vulnerabilities have been uncovered by Microsoft researchers affecting tools used in industrial operations around the world.

Microsoft security researcher Vladimir Eliezer Tokarev outlined the issues affecting CODESYS — a widely-used industrial automation software — during a presentation at the BlackHat security conference last week, and Microsoft also published its own blog post.

The software is used to engineer programmable logic controllers (PLCs), which are in everything from traffic lights to elevators to critical infrastructure. PLCs run in systems like water and wastewater processing systems, mining, manufacturing and energy production.

“It is basically a development system that connects to your smart devices and allows different logics to be executed on those devices,” Tokarev explained.

“It's used in the process automation industry, in the energy industries, in transportation, smart housing, factories and embedded industries.”

All of the vulnerabilities found by the researchers carry CVSS severity scores above 7.5, with most reaching 8.8 out of 10.

Many of them could allow hackers to either escalate their privileges to other parts of a system, steal credentials or cause physical issues within a plant.

“With CODESYS being used by many vendors, one vulnerability may affect many sectors, device types, and verticals, let alone multiple vulnerabilities… A successful attack has the potential to inflict great damage on targets,” Microsoft said.

“Threat actors could launch a DoS [denial-of service] attack against a device using a vulnerable version of CODESYS to shut down industrial operations or exploit the RCE [remote code execution] vulnerabilities to deploy a backdoor to steal sensitive data, tamper with operations, or force a PLC to operate in a dangerous way.”

CODESYS has sold more than 8 million device licenses — most to manufacturers of programmable automation components and controllers like Schneider Electric and Festo. Its automation suite runs on some 1,000 models of more than 500 manufacturers.

Another CODESYS vulnerability was found last November.

Tokarev and Microsoft urged users of the software to check with the manufacturer of the device they are using for information on what version to upgrade to or what firmware to download.

At the BlackHat conference, Tokarev gave a detailed walkthrough of the issues, using a miniature elevator as an example.

With a small model elevator using the Schneider Electric tool that pulls it up and down, he illustrated that he could crash the elevator using the vulnerability.

“There are millions and millions of devices around the world that use CODESYS in different industries and sectors,” he said, adding that the software is most widely used in Europe, Asia and Australia.

“They are very naturally absorbed into critical infrastructure and they are supply chain attack vectors that should be regarded accordingly. Because of its popularity and because of its wide usage around the globe, it's a very interesting, critical attack vector that should be protected and mitigated.”