CVE-2022-47389
📋 TL;DR
This vulnerability allows authenticated remote attackers to exploit a stack-based out-of-bounds write in the CmpTraceMgr component of CODESYS products. Successful exploitation could lead to denial-of-service, memory corruption, or remote code execution. Organizations using affected CODESYS industrial automation software are at risk.
💻 Affected Systems
- CODESYS Control runtime systems
- CODESYS Development System
- CODESYS Gateway
📦 What is this software?
Control For Wago Touch Panels 600 Sl by Codesys
View all CVEs affecting Control For Wago Touch Panels 600 Sl →
Control Rte \(for Beckhoff Cx\) Sl by Codesys
View all CVEs affecting Control Rte \(for Beckhoff Cx\) Sl →
Hmi Sl by Codesys
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with full system compromise, allowing attackers to take control of industrial control systems.
Likely Case
Denial-of-service conditions disrupting industrial operations, with potential for memory corruption leading to system instability.
If Mitigated
Limited impact if proper network segmentation and authentication controls prevent attacker access to vulnerable systems.
🎯 Exploit Status
Requires authenticated access. Stack-based buffer overflow exploitation typically requires specific knowledge of memory layout and control flow.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V3.5.19.0 and later
Vendor Advisory: https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17554&token=5444f53b4c90fe37043671a100dffa75305d1825&download=
Restart Required: Yes
Instructions:
1. Download latest CODESYS version from official vendor portal. 2. Backup existing configurations. 3. Install update following vendor documentation. 4. Restart affected systems. 5. Verify functionality post-update.
🔧 Temporary Workarounds
Disable CmpTraceMgr component
allRemove or disable the vulnerable component if not required for operations
Consult CODESYS documentation for component-specific disable procedures
Network segmentation
allIsolate CODESYS systems from untrusted networks
Implement firewall rules to restrict access to CODESYS ports (typically 1217, 2455)
🧯 If You Can't Patch
- Implement strict network segmentation to isolate CODESYS systems from general network traffic
- Enforce strong authentication mechanisms and monitor for suspicious authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check CODESYS version in Control Panel or via CODESYS Development System. Versions below V3.5.19.0 are vulnerable.Check Version:
In CODESYS Development: Help → About CODESYS. On runtime systems: Check system properties or vendor-specific version commands.Verify Fix Applied:
Verify installed version is V3.5.19.0 or later through CODESYS about dialog or version check commands.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts to CODESYS services
- CmpTraceMgr component errors or crashes
- Memory access violation logs
Network Indicators:
- Traffic to CODESYS ports (1217, 2455) from unexpected sources
- Patterns suggesting buffer overflow attempts
SIEM Query:
source="codesys" AND (event_type="authentication" OR event_type="crash") | stats count by src_ip