Patch Available for Vulnerabilities on CODESYS Automation Software

On March 28, 2017, ICS-CERT published an alert on two vulnerabilities in CODESYS Web Server, automation software used in many different industrial control system (ICS) devices deployed in critical infrastructure across the country, affecting versions 2.3 and earlier. The makers of CODESYS, 3S-Smart Software Solutions, patched a stack-based buffer overflow vulnerability, CVE-2017-6025, and an unrestricted file upload vulnerability, CVE-2017-6027, which could allow an attacker to crash an application or run arbitrary code, or allow remote code execution, respectively. CODESYS Web Server users can refer to the device directory to determine if they may be affected. 3S-Smart Software Solutions is distributing the patch to vulnerable products; however, experts warn this may take time. The NJCCIC recommends all users and administrators review ICS-CERT’s alert and proactively downloadpatch V.1.1.9.18.