CVE-2022-22519
📋 TL;DR
CVE-2022-22519 is a buffer over-read vulnerability in CODESYS Control runtime system webserver that allows remote, unauthenticated attackers to crash the webserver by sending crafted HTTP/HTTPS requests. This affects industrial control systems using vulnerable CODESYS software, potentially disrupting operations.
💻 Affected Systems
- CODESYS Control runtime system
📦 What is this software?
Control For Wago Touch Panels 600 Sl by Codesys
View all CVEs affecting Control For Wago Touch Panels 600 Sl →
Control Rte Sl \(for Beckhoff Cx\) by Codesys
View all CVEs affecting Control Rte Sl \(for Beckhoff Cx\) →
Hmi Sl by Codesys
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service of the CODESYS Control runtime system, disrupting industrial processes and potentially causing safety incidents in critical infrastructure.
Likely Case
Webserver crash causing temporary service disruption until manual restart, affecting HMI access and remote monitoring capabilities.
If Mitigated
Limited impact with proper network segmentation and monitoring, allowing quick detection and recovery from service interruptions.
🎯 Exploit Status
The vulnerability requires only crafted HTTP/HTTPS requests, making exploitation straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: CODESYS Control V3.5.19.0 and later
Vendor Advisory: https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17094&token=2fb188e2213c74194e81ba61ff99f1c68602ba4d&download=
Restart Required: Yes
Instructions:
1. Download CODESYS Control V3.5.19.0 or later from CODESYS customer portal. 2. Backup current configuration. 3. Install the update following vendor documentation. 4. Restart the CODESYS Control runtime system. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable CODESYS web server
allDisable the vulnerable web server component if not required for operations
Navigate to CODESYS Control configuration and disable web server functionality
Network segmentation and firewall rules
linuxRestrict access to CODESYS web server ports (default 80/443, 8080/8443)
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A INPUT -p tcp --dport 8080 -j DROP
iptables -A INPUT -p tcp --dport 8443 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate CODESYS systems from untrusted networks
- Deploy intrusion detection systems to monitor for exploitation attempts and anomalous HTTP traffic
🔍 How to Verify
Check if Vulnerable:
Check CODESYS Control version via CODESYS IDE or system information. Versions below V3.5.19.0 are vulnerable.Check Version:
Check via CODESYS IDE: Project → Device → Device Information or system-specific commands depending on installationVerify Fix Applied:
Verify version is V3.5.19.0 or later and test web server functionality with normal HTTP requests.📡 Detection & Monitoring
Log Indicators:
- Webserver crash logs
- Abnormal termination of CODESYS processes
- Multiple malformed HTTP requests from single source
Network Indicators:
- Unusual HTTP request patterns to CODESYS web ports
- Requests with abnormal headers or payload sizes
SIEM Query:
source="CODESYS" AND (event="crash" OR event="termination") OR dest_port IN (80, 443, 8080, 8443) AND http_request contains abnormal patterns