Skip to main

Vulnerabilities in the communication protocol of the PLC runtime

BOSCH-SA-577411

Advisory Information

Summary

The PLC application of the control systems ctrlX CORE, IndraLogic, IndraMotion MTX, IndraMotion MLC and IndraMotion MLD contains PLC technology from CODESYS GmbH. The manufacturer CODESYS GmbH published multiple security bulletins [1], [2], [3], [4], [5]. By exploiting the vulnerabilities in the protocol for the communication between the PLC runtime and clients, attackers can send crafted communication packets which may result in a stop of the web server communication of the PLC runtime or a temporary blocking of the communication to the PLC runtime. Please see the following table for a quick overview about the affected products.

CVE CODESYS Advisory ctrlX CORE PLC IndraMotion MLC/MLD/MTX, IndraLogic
CVE-2022-22519
2022-07
affected (<= 01V14)
not affected
CVE-2022-22513, CVE-2022-22514
2022-06
not affected
affected only when user management is disabled
CVE-2022-22517
2022-04
affected (<= 01V14)
affected
CVE-2022-22515
2022-02
not affected
affected only when user management is disabled

Affected Products

  • Rexroth IndraLogic (all versions)
    • CVE-2022-22513
    • CVE-2022-22514
    • CVE-2022-22515
    • CVE-2022-22517
  • Rexroth IndraMotion MLC (all versions)
    • CVE-2022-22513
    • CVE-2022-22514
    • CVE-2022-22515
    • CVE-2022-22517
  • Rexroth IndraMotion MLD (all versions)
    • CVE-2022-22513
    • CVE-2022-22514
    • CVE-2022-22515
    • CVE-2022-22517
  • Rexroth IndraMotion MTX (all versions)
    • CVE-2022-22513
    • CVE-2022-22514
    • CVE-2022-22515
    • CVE-2022-22517
  • ctrlX CORE PLC <= PLC-V-0114.1
    • CVE-2022-22515
    • CVE-2022-22517
    • CVE-2022-22519

Solution and Mitigations

Solution

ctrlX CORE PLC 01V16 will include an updated CODESYS version which has solved the identified vulnerabilities.

Security Gateway

Use a security gateway, e.g. the ctrlX CORE, for the protection of the affected systems.

Compensatory Measures

Compensatory measures are recommended which mitigate the risk. Always define such compensatory measures individually, in the context of the operational environment. Some measures are described in the “Security Guideline Electric Drives and Controls” [6], for example the network segmentation. In general, it is mandatory to implement the measures described in the “Security Guideline Electric Drives and Controls”.

Vulnerability Details

CVE-2022-22513

CVE description: An authenticated remote attacker can cause a null pointer dereference in the CmpSettings component of the affected CODESYS products which leads to a crash.

CVE-2022-22514

CVE description: An authenticated, remote attacker can gain access to a dereferenced pointer contained in a request. The accesses can subsequently lead to local overwriting of memory in the CmpTraceMgr, whereby the attacker can neither gain the values read internally nor control the values to be written. If invalid memory is accessed, this results in a crash.

CVE-2022-22515

CVE description: A remote, authenticated attacker could utilize the control program of the CODESYS Control runtime system to use the vulnerability in order to read and modify the configuration file(s) of the affected products.

CVE-2022-22517

CVE description: An unauthenticated, remote attacker can disrupt existing communication channels between CODESYS products by guessing a valid channel ID and injecting packets. This results in the communication channel to be closed.

CVE-2022-22519

CVE description: A remote, unauthenticated attacker can send a specific crafted HTTP or HTTPS requests causing a buffer over-read resulting in a crash of the webserver of the CODESYS Control runtime system.

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

  • 02 May 2022: Initial Publication