Vulnerability in the routing protocol of the PLC runtime
- Advisory ID: BOSCH-SA-350374
- CVE Numbers and CVSS v3.1 Scores:
- Published: 19 May 2021
- Last Updated: 19 May 2021
The control systems IndraMotion MTX, MLC and MLD and the ctrlX CORE PLC application contain PLC technology from Codesys GmbH. The manufacturer Codesys GmbH published a security bulletin  about a weakness in the routing protocol for the communication between the PLC runtime and clients. By exploiting the vulnerability, attackers can send crafted communication packets to change the routers addressing scheme and may re-route, add, remove or change low level communication packages.
On the ctrlX CORE PLC Runtime, an attacker might try to obfuscate the origin of the attacker’s address and therefore cover up tracks by exploiting the vulnerability, or, in a worst case scenario, cause a temporary interruption in the communication to the PLC Runtime. No authentication bypass is possible. A restart of the PLC Runtime application does reset the application to a working state.
On IndraMotion MLC, MTX and MLD an attacker might act as a Man in the Middle by exploiting the vulnerability and therefore manipulate communication requests between the PLC runtime and clients. In the worst case scenario, this would allow to manipulate the PLC Runtime and/or read data without authorization.
The vulnerability currently affects all available software versions.
- Rexroth IndraMotion MLC
- Rexroth IndraMotion MLD
- Rexroth IndraMotion MTX
- ctrlX CORE PLC App <= 01V08
Solution and Mitigations
Software Update to ctrlX CORE PLC App 01V10
ctrlX CORE PLC App Release 01V10 will include an updated release of the Codesys software stack which corrects the vulnerability Please update your crlX CORE installation to this release when it becomes available. Please contact your sales partner for instructions on how to retrieve the update.
For IndraMotion MLC, MTX or MLD the following options exist:
Use of ctrlX CORE as security gateway for protection of IndraMotion MLC, MTX or MLD
Use of ctrlX CORE instead of IndraMotion MLC, MTX or MLD
Until updated releases are available or if the solutions described in 4.1 are not applicable, compensatory measures are recommended which mitigate the risk. Always define such compensatory measures individually, in the context of the operational environment. Some possible measures are described in the “Security Guideline Electric Drives and Controls”, for example the network segmentation (please see ). In general, it is highly recommended to implement the measures described in the “Security Guideline Electric Drives and Controls”.
CVE description: CODESYS Control Runtime system before 22.214.171.124 has improper input validation. Attackers can send crafted communication packets to change the router’s addressing scheme and may re-route, add, remove or change low level communication packages.
- Problem Type:
- CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Base Score: 7.3 (High)
Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.
-  Codesys Security Advisory ID 2021-01: https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=14640&token=623b6fceb0579ef0f7505e29beefa5b3f8ac7873&download=
-  Bosch Rexroth Security Guideline Electric Drives and Controls: https://www.boschrexroth.com/various/utilities/mediadirectory/download/index.jsp?object_nr=R911342562
Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: firstname.lastname@example.org .
- 19 May 2021: Initial Publication