​CODESYS Development System

1. EXECUTIVE SUMMARY

• ​CVSS v3 7.3 
• ​ATTENTION: low attack complexity 
• ​Vendor: CODESYS, GmbH 
• ​Equipment: CODESYS Development System 
• ​Vulnerability: Uncontrolled Search Path Element. 

2. RISK EVALUATION

​Successful exploitation of this vulnerability could cause users to unknowingly launch a malicious binary placed by a local attacker. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​CODESYS reports this vulnerability affects the following versions of CODESYS Development System: 

• ​CODESYS Development System: versions from 3.5.17.0 and prior to 3.5.19.20 

3.2 VULNERABILITY OVERVIEW

3.2.1 ​UNCONTROLLED SEARCH PATH ELEMENT CWE-427 

​In CODESYS Development System versions from 3.5.17.0 and prior to 3.5.19.20 a vulnerability allows for execution of binaries from the current working directory in the users’ context. 

​CVE-2023-3662 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

• ​CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing 
• ​COUNTRIES/AREAS DEPLOYED: Worldwide 
• ​COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

​Carlo Di Dato of Deloitte Risk Advisory Italia - Vulnerability Research Team reported this vulnerability. CERT@VDE coordinated the vulnerability. 

4. MITIGATIONS

CODESYS recommends users update the CODESYS Development System to version 3.5.19.20. 

​The CODESYS Development System can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. 

​Alternatively, users may find further information on obtaining the software update in the CODESYS Update area. 

​For more information, please see the advisory CERT@VDE published for CODESYS at: 

​https://cert.vde.com/en-us/advisories/vde-2023-021 

​CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: 

• ​Exercise principles of least privilege. 

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. 

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

​CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

• ​Do not click web links or open attachments in unsolicited email messages. 
• ​Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
• ​Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.