Web servers are the crucial part of an organization and they need to be protected since they are one of the internet facing systems. CODESYS, an automation software for engineering control systems, was found to be vulnerable to remote server crash and remote code execution attacks.
Insights
On December 02 2019, security researchers at Tenable Inc. discovered a critical vulnerability in the CODESYS web server. “This web server is used to display CODESYS visualization screen in the web browser”[1]. The vulnerability is reported critical and classified under the heap-buffer overflow class. Basically, the attacker assigns a large block of memory on the heap which overwrites important variables during run-time. This leads to memory corruption. As a result, the system is prone to denial-of-service attacks and remote code execution attacks. The vulnerability is tagged as CVE-2020-10245 and scores a perfect 10 on the CVSS V2 vulnerability severity scale. According to Tenable, the flaw is in the web-server library CmpWebServerHandlerV3.dll, wherein the user-input data is not sanitized[2]. Researchers at Tenable Inc. have also shared a Proof-Of-Concept exploiting the vulnerability on GitHub.
Conclusion
On March 25 2020, CODESYS disclosed the vulnerability and released a patch addressing this flaw. All the systems prior to version 3.5.15.40 are vulnerable to this security bug. According to the updated security advisory released by CODESYS, the security bug clearly affects all the 3 pillars of the CIA Triad. The attacker can bring down the server by sending a specially crafted input to the webserver. The attacker can perform remote code execution which is considered to be very dangerous.
References