Cybersecurity specialists reported the finding of at least 4 critical vulnerabilities in CODESYS V2 Runtime Toolkit, a set of tools for CODESYS, the development environment for driver programming in accordance with the international industry standard IEC 61131-3. According to the report, successful exploitation of these flaws would allow denial of service (DoS) attacks, arbitrary code execution, buffer overflow, and other attacks to be deployed.

Below are brief descriptions of the reported flaws, in addition to their respective research keys and scores according to the Common Vulnerability Scoring System (CVSS).

CVE-2021-30186: A limit bug in affected developments would allow remote attackers to send a specially crafted request, triggering a heap-based buffer overflow and leading to a DoS condition.

This is a flaw of medium severity and received a CVSS score of 6.5/10.

CVE-2021-30188: A thth limit bug would allow unauthenticated remote attackers to send a specially crafted request, trigger a stack-based buffer overflow, and execute arbitrary code. 

The flaw received a score of 8.5/10.

CVE-2021-30195: Improper validation of user-provided input would allow remote attackers to pass a specially crafted entry to the affected application.

This vulnerability received a score of 6.5/10 and would allow the deployment of DoS attacks.

CVE-2021-30187: Incorrect input validation allows local users to pass specially crafted data to the application and execute arbitrary commands from the target operating system.

This flaw received a CVSS score of 6.8/10.

The vulnerabilities reside in the following affected versions and products:

  • CODESYS V2 Runtime Toolkit: any version prior to v2.4.7.55
  • CODESYS PLCWinNT: any version prior to v2.4.7.55

Flaws must be exploited locally, which significantly reduces the risk of attack. The updates are now available, so CODESYS recommends users of affected deployments install the security patches as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Buffer overflow and code injection vulnerabilities in CODESYS appeared first on Information Security Newspaper | Hacking News.

You May Also Like

Critical vulnerability allows unlocking, starting & stealing Honda Cars without key. Hacking Honda vehicles

Rolling-PWN attack vulnerability CVE-2021-46145  affecting all Honda cars models that exist from…

Thousands of airports, hospitals and hotels affected by critical vulnerabilities in Aruba and Avaya switches

Five critical remote code execution (RCE) vulnerabilities have been confirmed to be…

7 security vulnerabilities in Sophos Firewall version < 19.5.0. Patch immediately

Customers have been alerted by Sophos that many vulnerabilities, including ones that…

Two critical SQL injection vulnerabilities in Philips Tasy EMR, used by hospitals worldwide

Cybersecurity specialists report the detection of two critical vulnerabilities in Philips Tasy…