CVE-2023-3670
📋 TL;DR
CVE-2023-3670 is a local privilege escalation vulnerability in CODESYS Development System and CODESYS Scripting where insecure directory permissions allow attackers with local workstation access to place malicious scripts that could be executed by legitimate users. This affects organizations using CODESYS for industrial automation and control systems programming.
💻 Affected Systems
- CODESYS Development System
- CODESYS Scripting
📦 What is this software?
Scripting by Codesys
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full control of the CODESYS development environment, potentially compromising industrial control systems by executing arbitrary code with legitimate user privileges, leading to production disruption or safety incidents.
Likely Case
Local attackers plant disguised scripts that get executed by legitimate users, leading to data theft, malware installation, or lateral movement within the industrial network.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated workstations without affecting production systems.
🎯 Exploit Status
Exploitation requires local access to the workstation and knowledge of directory structure. No authentication bypass needed once local access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: CODESYS Development System 3.5.18.0 and later, CODESYS Scripting 4.2.0.0 and later
Vendor Advisory: https://cert.vde.com/en/advisories/VDE-2023-024
Restart Required: Yes
Instructions:
1. Download latest version from CODESYS website. 2. Backup current installation. 3. Run installer with administrative privileges. 4. Restart workstation after installation completes.
🔧 Temporary Workarounds
Restrict directory permissions
allManually secure CODESYS installation directories to prevent unauthorized write access
Windows: icacls "C:\Program Files\CODESYS\" /inheritance:r /grant:r "Users:(OI)(CI)RX" /grant:r "Administrators:(OI)(CI)F"
Linux: chmod 755 /opt/codesys/ && chown root:root /opt/codesys/
Application whitelisting
allImplement application control to prevent execution of unauthorized scripts
Windows: Configure AppLocker or Windows Defender Application Control policies
Linux: Configure SELinux/AppArmor policies for CODESYS
🧯 If You Can't Patch
- Implement strict access controls on CODESYS workstations to prevent unauthorized local access
- Monitor CODESYS directories for unauthorized file modifications using file integrity monitoring
🔍 How to Verify
Check if Vulnerable:
Check CODESYS version in Help > About menu. If Development System is between 3.5.9.0-3.5.17.0 or Scripting is between 4.0.0.0-4.1.0.0, system is vulnerable.Check Version:
Windows: reg query "HKLM\SOFTWARE\CODESYS\" /v Version | Linux: dpkg -l | grep codesys || rpm -qa | grep codesysVerify Fix Applied:
Verify version is 3.5.18.0+ for Development System or 4.2.0.0+ for Scripting. Check directory permissions on CODESYS installation folders.📡 Detection & Monitoring
Log Indicators:
- Unauthorized file creation in CODESYS directories
- Unexpected script execution from CODESYS folders
- Permission changes on CODESYS installation directories
Network Indicators:
- Unusual outbound connections from CODESYS workstations
- Lateral movement attempts from CODESYS systems
SIEM Query:
source="windows-security" EventID=4663 ObjectName="*CODESYS*" AccessMask="0x2" OR source="sysmon" EventID=11 TargetFilename="*CODESYS*"