Microsoft said that while exploiting this bug will be quite difficult, the risk of insecurity is very high.
According to Arstechnica, Microsoft has disclosed 15 critical vulnerabilities in a widely used toolkit for programming devices that operate inside industrial facilities such as power generation plants, energy automation, and automation. procedure. The company warns that while it is difficult to exploit code execution and denial of service vulnerabilities, it allows hackers to cause great damage to targets.
The vulnerabilities affect the software development kit (SDK) CODESYS V3. Developers such as Schneider Electric and WAGO use these tools to program logic controllers, devices that open and close valves, rotate motors, and control many other physical devices in industrial facilities across the world. Around the world. The SDK allows developers to be compatible with IEC 611131-3, the international standard that defines safe programming languages for use in industrial environments.
A report from Microsoft says a DOS attack against a device using a vulnerable version of CODESYS could allow a hacker to shut down a power plant, while remote code execution could create provides a backdoor to devices and allows them to interfere with operation, cause logic controllers to run abnormally, or steal critical information.
As CODESYS is being used by multiple vendors, a single vulnerability can affect multiple sectors, device types, and verticals, let alone multiple vulnerabilities. All vulnerabilities discovered by Microsoft can lead to DoS and RCE attacks. Although exploiting the discovered vulnerabilities requires deep knowledge of CODESYS V3’s proprietary protocol as well as user authentication, a successful attack has the potential to cause extensive damage to the targets.
Microsoft privately informed the developer Codesys about the vulnerabilities in September 2022 and has released patches. It is now possible that many vendors using the SDK have installed updates.