November 15, 2024
3 New Vulnerabilities Affect OT Products from German Companies Festo and CODESYS
Researchers have disclosed details of three new security vulnerabilities affecting operational technology (OT) products from CODESYS and Festo that could lead to source code tampering and denial-of-service (DoS). The vulnerabilities, reported by Forescout Vedere Labs, are the latest in a long list of flaws collectively tracked under the name OT:ICEFALL. "These issues exemplify either an

Researchers have disclosed details of three new security vulnerabilities affecting operational technology (OT) products from CODESYS and Festo that could lead to source code tampering and denial-of-service (DoS).

The vulnerabilities, reported by Forescout Vedere Labs, are the latest in a long list of flaws collectively tracked under the name OT:ICEFALL.

“These issues exemplify either an insecure-by-design approach — which was usual at the time the products were launched – where manufacturers include dangerous functions that can be accessed with no authentication or a subpar implementation of security controls, such as cryptography,” the researchers said.

The most critical of the flaws is CVE-2022-3270 (CVSS score: 9.8), a critical vulnerability that affects Festo automation controllers using the Festo Generic Multicast (FGMC) protocol to reboot the devices without requiring any authentication and cause a denial of service (DoS) condition.

Another DoS shortcoming in Festo controllers (CVE-2022-3079, CVSS score: 7.5) relates to a case of unauthenticated, remote access to an undocumented web page (“cec-reboot.php”) that could be exploited by an attacker with network access to Festo CPX-CEC-C1 and CPX-CMXX PLCs.

The third issue, on the other hand, concerns the use of weak cryptography in the CODESYS V3 runtime environment to secure download code and boot applications (CVE-2022-4048, CVSS score: 7.7), which could be abused by a bad actor to decrypt and manipulate the source code, thereby undermining confidentiality and integrity protections.

Forescout said it also identified two known CODESYS bugs impacting Festo CPX-CEC-C1 controllers (CVE-2022-31806 and CVE-2022-22515) that stem from an unsafe configuration in the Control runtime environment, and could lead to a denial-of-service sans authentication.

“This is yet another example of a supply chain issue where a vulnerability has not been disclosed for all the products it affects,” the researchers said.

To mitigate potential threats, organizations are recommended to discover and inventory vulnerable devices, enforce appropriate network segmentation controls, and monitor network traffic for anomalous activity.