CVE-2022-47387
📋 TL;DR
CVE-2022-47387 is a stack-based out-of-bounds write vulnerability in the CmpTraceMgr component of CODESYS industrial automation software. Authenticated remote attackers can exploit this to cause denial-of-service, memory corruption, or potentially execute arbitrary code. This affects multiple CODESYS products across various versions used in industrial control systems.
💻 Affected Systems
- CODESYS Control runtime systems
- CODESYS Development System
- CODESYS Gateway
- CODESYS OPC UA Server
- Other CODESYS-based products
📦 What is this software?
Control For Wago Touch Panels 600 Sl by Codesys
View all CVEs affecting Control For Wago Touch Panels 600 Sl →
Control Rte \(for Beckhoff Cx\) Sl by Codesys
View all CVEs affecting Control Rte \(for Beckhoff Cx\) Sl →
Hmi Sl by Codesys
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, manipulation of industrial processes, or lateral movement within OT networks.
Likely Case
Denial-of-service conditions disrupting industrial operations, with potential for memory corruption affecting system stability.
If Mitigated
Limited impact if proper network segmentation and authentication controls prevent attacker access to vulnerable components.
🎯 Exploit Status
Requires authentication, but industrial systems often use default or weak credentials. Stack-based buffer overflows are well-understood exploitation vectors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Varies by product - refer to CODESYS security advisory for specific version numbers
Vendor Advisory: https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17554&token=5444f53b4c90fe37043671a100dffa75305d1825&download=
Restart Required: Yes
Instructions:
1. Review CODESYS security advisory for affected products. 2. Download appropriate patches from CODESYS customer portal. 3. Apply patches following vendor instructions. 4. Restart affected systems. 5. Verify patch installation.
🔧 Temporary Workarounds
Network Segmentation
allIsolate CODESYS systems from untrusted networks and implement strict firewall rules.
Authentication Hardening
allImplement strong authentication mechanisms and change default credentials.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate CODESYS systems
- Enforce strong authentication and access controls
- Monitor for anomalous behavior and authentication attempts
- Consider virtual patching via intrusion prevention systems
🔍 How to Verify
Check if Vulnerable:
Check CODESYS product versions against the security advisory. Review system logs for authentication attempts to CODESYS services.Check Version:
Varies by platform - typically through CODESYS development environment or system management toolsVerify Fix Applied:
Verify installed CODESYS version is patched per vendor advisory. Check that CmpTraceMgr component version has been updated.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts to CODESYS services
- Unexpected process crashes in CODESYS components
- Authentication logs showing access to CmpTraceMgr
Network Indicators:
- Unusual network traffic to CODESYS ports (typically 1217, 2455, others)
- Traffic patterns suggesting buffer overflow attempts
SIEM Query:
source="codesys" AND (event_type="authentication" OR event_type="crash") | stats count by src_ip, user