Microsoft warns of CODESYS flaws within industrial hardware

Microsoft says that flaws in the CODESYS SDK are leaving thousands of PLC units at risk of remote attack with potentially catastrophic consequences

Microsoft warns of CODESYS flaws within industrial hardware

Microsoft's security team is sounding alarms over a series of vulnerabilities that could leave industrial systems open to attack.

Redmond's security researchers said that a handful of known flaws in the CODESYS protocol was placing programmable logic controllers (PLCs) in danger of everything from denial of service to remote code execution bugs.

"The discovery of these vulnerabilities highlights the critical importance of ensuring the security of industrial control systems and underscores the need for continuous monitoring and protection of these environments," Microsoft said.

For those unfamiliar, PLC is the generic term for network-connected devices that are used to automate or remotely manage industrial hardware across a variety of sectors from factory floors to remote utility stations. Such devices are heavily relied upon but usually operate for years with little to no updates or interactions aside from troubleshooting.

CODESYS, meanwhile, is the developer kit that allows admins and service providers to create the automation protocol that PLCs use in their day-to-day operation. It is said to be the preferred SDK for some 500 different manufacturers across multiple industries.

This is what makes the Microsoft team so worried about the vulnerabilities in CODESYS. They say that the bugs, 15 in all, could be exploited by an attacker to perform such nefarious things as denial of service and remote code execution (RCE).

While RCE flaws are generally considered to be far more serious than denial of service bugs, in the context of a PLC a DoS attack can be just as disastrous as it would potentially bring operations to a standstill.

Microsoft said that it has worked with CODESYS for nearly a year to remediate the bugs and a patch (version 3.5.19.0) has been released and all admins are being encouraged to update.

The remote and automated nature of PLCs, however, means that many will not receive this, or any update. In practice, most installations are either too remote or too vital to risk any extended downtime to test and deploy firmware updates.

This creates the potential disaster scenarios that worry the Microsoft team. The researchers describe one such scenario in which a remote attacker would be able to take down a power plant by exploiting one of the CODESYS flaws.

"A DoS attack against a device using a vulnerable version of CODESYS could enable threat actors to shut down a power plant, while remote code execution could create a backdoor for devices and let attackers tamper with operations, cause a PLC to run in an unusual way, or steal critical information," Microsoft writes.

"Exploiting the discovered vulnerabilities, however, requires user authentication, as well as deep knowledge of the proprietary protocol of CODESYS V3 and the structure of the different services that the protocol uses."

One best practice for companies in the industrial sector is to air-gap the operational technology (OT) network on which PLCs operate from the internet-facing IT network. This, however, is easier said than done as in most cases the OT network includes branch locations or remote outposts where it is impossible for an administrator to be physically present.

To that end, Microsoft is encouraging companies to do what they can to patch their PLCs, and if that is not possible, to limit exposure by cutting off CODESYS access to devices that do not need it and limiting their exposure to the open internet.