Microsoft researchers have identified multiple high-severity vulnerabilities that could enable threat actors to shut down power plants.
The flaws were discovered within the CODESYS software development kit (SDK), which is widely used to program and engineer programmable logic controllers in industrial operational technology (OT) systems in sectors like manufacturing and energy.
All versions of CODESYS V3 SDK prior to 3.5.19.0 are affected by the 15 bugs, which were listed in a Microsoft blog post published on August 10, 2023.
The Microsoft’s cyberphysical systems research team said that exploitation of the discovered vulnerabilities could put critical infrastructure organizations at risk of attacks such as remote code execution (RCE) and denial of service (DoS).
A DoS attack against a device using a vulnerable version of CODESYS could enable attackers to shut down a power plant, according to the researchers. In addition, threat actors could tamper with operations, cause a PLC to run in an unusual way, or steal critical information by deploying a backdoor via an RCE.
The researchers acknowledged that exploitation is difficult, with attackers requiring user authentication alongside “deep knowledge of the proprietary protocol of CODESYS V3 and the structure of the different services that the protocol uses.”
It is not the first time vulnerabilities have been discovered in the CODESYS automation software, with Chinese cybersecurity firm NSFOCUS spotting 11 critical security flaws in June 2022.
Remediation
Microsoft said it reported the latest discovery to CODESYS in September 2022 and worked with the firm to develop patches.
CODESYS customers have been urged to apply these fixes as soon as possible. Microsoft recommended that they first identify the devices using CODESYS in their network before checking with device manufacturers to determine which version of the CODESYS SDK is used and whether a patch is available.
To assists with this process, the Microsoft cyberphysical system research team has released an open-source software tool on GitHub that allows users to communicate with devices in their environment that run CODESYS and extract the version of CODESYS on their devices in a safe manner to confirm if their devices are vulnerable.
