CVE-2022-47385
📋 TL;DR
An authenticated remote attacker can exploit a stack-based out-of-bounds write vulnerability in the CmpAppForce component of CODESYS products to cause denial-of-service, memory corruption, or remote code execution. This affects multiple CODESYS products across various versions. Organizations using CODESYS automation software in industrial control systems are at risk.
💻 Affected Systems
- CODESYS Control runtime systems
- CODESYS Development System
- CODESYS Gateway
- CODESYS PLCWinNT
- CODESYS Safety SIL2
- CODESYS SoftMotion
- CODESYS Visualization
📦 What is this software?
Control For Wago Touch Panels 600 Sl by Codesys
View all CVEs affecting Control For Wago Touch Panels 600 Sl →
Control Rte \(for Beckhoff Cx\) Sl by Codesys
View all CVEs affecting Control Rte \(for Beckhoff Cx\) Sl →
Hmi Sl by Codesys
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, allowing attacker to take control of industrial processes or critical infrastructure.
Likely Case
Denial-of-service conditions disrupting industrial operations, with potential for memory corruption affecting system stability.
If Mitigated
Limited impact with proper network segmentation and authentication controls, potentially only causing temporary service disruption.
🎯 Exploit Status
Requires authentication but stack-based buffer overflow vulnerabilities are often exploitable. Industrial control system context may make exploitation more complex.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific version updates
Vendor Advisory: https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17554&token=5444f53b4c90fe37043671a100dffa75305d1825&download=
Restart Required: Yes
Instructions:
1. Review CODESYS security advisory 2. Identify affected products and versions 3. Download and apply vendor-provided patches 4. Restart affected systems 5. Verify patch installation
🔧 Temporary Workarounds
Network Segmentation
allIsolate CODESYS systems from untrusted networks and implement strict firewall rules
Authentication Hardening
allImplement strong authentication mechanisms and limit user access to necessary functions only
🧯 If You Can't Patch
- Implement strict network segmentation to isolate CODESYS systems from untrusted networks
- Enforce strong authentication policies and monitor for suspicious authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check CODESYS product versions against vendor advisory. Review system logs for authentication attempts and abnormal CmpAppForce component behavior.Check Version:
Check CODESYS product documentation for version query commands specific to your installationVerify Fix Applied:
Verify installed version matches patched version from vendor advisory. Test system functionality and monitor for stability issues.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful login
- Abnormal memory usage patterns in CmpAppForce component
- System crashes or instability in CODESYS runtime
Network Indicators:
- Unusual network traffic to CODESYS ports from unexpected sources
- Authentication requests from suspicious IP addresses
SIEM Query:
source="codesys" AND (event_type="authentication" OR component="CmpAppForce") AND (status="success" OR memory_usage>threshold)