CVE-2023-37557 - OpenCVE

After successful authentication as a user in multiple Codesys products in multiple versions, specific crafted remote communication requests can cause the CmpAppBP component to overwrite a heap-based buffer, which can lead to a denial-of-service condition.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Codesys	Control For Linux Sl Control For Plcnext Sl Control Rte Sl Control For Pfc200 Sl Control For Wago Touch Panels 600 Sl Hmi Control For Raspberry Pi Sl Control For Iot2000 Sl Control For Beaglebone Sl Safety Sil2 Control Runtime System Toolkit Control Rte Sl \(for Beckhoff Cx\) Control For Empc-a\/imx6 Sl Development System Control Win Sl Control For Pfc100 Sl

Configuration 1 [-]

OR	cpe:2.3:a:codesys:control_for_beaglebone_sl::::::::
	cpe:2.3:a:codesys:control_for_empc-a\/imx6_sl::::::::
	cpe:2.3:a:codesys:control_for_iot2000_sl::::::::
	cpe:2.3:a:codesys:control_for_linux_sl::::::::
	cpe:2.3:a:codesys:control_for_pfc100_sl::::::::
	cpe:2.3:a:codesys:control_for_pfc200_sl::::::::
	cpe:2.3:a:codesys:control_for_plcnext_sl::::::::
	cpe:2.3:a:codesys:control_for_raspberry_pi_sl::::::::
	cpe:2.3:a:codesys:control_for_wago_touch_panels_600_sl::::::::

Configuration 2 [-]

OR	cpe:2.3:a:codesys:control_rte_sl::::::::
	cpe:2.3:a:codesys:control_rte_sl_\(for_beckhoff_cx\)::::::::
	cpe:2.3:a:codesys:control_runtime_system_toolkit::::::::
	cpe:2.3:a:codesys:control_win_sl::::::::
	cpe:2.3:a:codesys:development_system::::::::
	cpe:2.3:a:codesys:hmi::::::::
	cpe:2.3:a:codesys:safety_sil2::::::::

References

Link	Resource
https://cert.vde.com/en/advisories/VDE-2023-019/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: CERTVDE

Published: 2023-08-03T11:06:17.884Z

Updated: 2023-08-03T11:06:17.884Z

Reserved: 2023-07-07T07:39:19.121Z

Link: CVE-2023-37557

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-08-03T12:15:10.797

Modified: 2023-08-08T15:43:40.077

Link: CVE-2023-37557

JSON object: View

Redhat Information

No data.

CWE

CWE-787

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-37557", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "state": "PUBLISHED", "assignerShortName": "CERTVDE", "dateReserved": "2023-07-07T07:39:19.121Z", "datePublished": "2023-08-03T11:06:17.884Z", "dateUpdated": "2023-08-03T11:06:17.884Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "CODESYS Control for BeagleBone SL", "vendor": "CODESYS", "versions": [{"lessThan": "V4.10.0.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "CODESYS Control for emPC-A/iMX6 SL", "vendor": "CODESYS", "versions": [{"lessThan": "V4.10.0.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "CODESYS Control for IOT2000 SL", "vendor": "CODESYS", "versions": [{"lessThan": "V4.10.0.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "CODESYS Control for Linux SL", "vendor": "CODESYS", "versions": [{"lessThan": "V4.10.0.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "CODESYS Control for PFC100 SL", "vendor": "CODESYS", "versions": [{"lessThan": "V4.10.0.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "CODESYS Control for PFC200 SL", "vendor": "CODESYS", "versions": [{"lessThan": "V4.10.0.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "CODESYS Control for PLCnext SL", "vendor": "CODESYS", "versions": [{"lessThan": "V4.10.0.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "CODESYS Control for Raspberry Pi SL", "vendor": "CODESYS", "versions": [{"lessThan": "V4.10.0.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "CODESYS Control for WAGO Touch Panels 600 SL", "vendor": "CODESYS", "versions": [{"lessThan": "V4.10.0.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "CODESYS Control RTE (for Beckhoff CX) SL", "vendor": "CODESYS", "versions": [{"lessThan": "V3.5.19.20", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "CODESYS Control RTE (SL)", "vendor": "CODESYS", "versions": [{"lessThan": "V3.5.19.20", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "CODESYS Control Runtime System Toolkit", "vendor": "CODESYS", "versions": [{"lessThan": "V3.5.19.20", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "CODESYS Control Win (SL)", "vendor": "CODESYS", "versions": [{"lessThan": "V3.5.19.20", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "CODESYS Development System V3", "vendor": "CODESYS", "versions": [{"lessThan": "V3.5.19.20", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "CODESYS HMI (SL)", "vendor": "CODESYS", "versions": [{"lessThan": "V3.5.19.20", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "CODESYS Safety SIL2 Runtime Toolkit", "vendor": "CODESYS", "versions": [{"lessThan": "V3.5.19.20", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Vladimir Tokarev, Section 52, Azure IoT Security at Microsoft"}], "datePublic": "2023-08-03T10:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "After successful authentication as a user in multiple Codesys products in multiple versions, specific crafted remote communication requests can cause the CmpAppBP component to overwrite a heap-based buffer, which can lead to a denial-of-service condition."}], "value": "After successful authentication as a user in multiple Codesys products in multiple versions, specific crafted remote communication requests can cause the CmpAppBP component to overwrite a heap-based buffer, which can lead to a denial-of-service condition."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2023-08-03T11:06:17.884Z"}, "references": [{"url": "https://cert.vde.com/en/advisories/VDE-2023-019/"}], "source": {"advisory": "VDE-2023-019", "defect": ["CERT@VDE#64558"], "discovery": "EXTERNAL"}, "title": "CODESYS Heap-based Buffer Overflow in multiple products", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:codesys:control_for_beaglebone_sl:*:*:*:*:*:*:*:*", "matchCriteriaId": "80D9DB34-C2BD-441F-B8D9-02EFA27BECD8", "versionEndExcluding": "4.10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:codesys:control_for_empc-a\\/imx6_sl:*:*:*:*:*:*:*:*", "matchCriteriaId": "49AA0C0C-F2F2-4F11-9615-FDCA6BC410B4", "versionEndExcluding": "4.10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:codesys:control_for_iot2000_sl:*:*:*:*:*:*:*:*", "matchCriteriaId": "74FE662F-5397-4CB7-9243-1E6ED0AAEC29", "versionEndExcluding": "4.10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:codesys:control_for_linux_sl:*:*:*:*:*:*:*:*", "matchCriteriaId": "8896E77C-EB29-4CB9-BC98-D5A34791A961", "versionEndExcluding": "4.10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:codesys:control_for_pfc100_sl:*:*:*:*:*:*:*:*", "matchCriteriaId": "56101551-21ED-4409-9932-9EFA225AF20C", "versionEndExcluding": "4.10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:codesys:control_for_pfc200_sl:*:*:*:*:*:*:*:*", "matchCriteriaId": "C1239AA8-B094-4DA3-82B7-38F85B6C3940", "versionEndExcluding": "4.10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:codesys:control_for_plcnext_sl:*:*:*:*:*:*:*:*", "matchCriteriaId": "BAA7FE72-41A0-42E7-8E66-9B4A50A5B08F", "versionEndExcluding": "4.10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:codesys:control_for_raspberry_pi_sl:*:*:*:*:*:*:*:*", "matchCriteriaId": "C248B53C-3C09-4068-9E57-8F9A4D2B7AD0", "versionEndExcluding": "4.10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:codesys:control_for_wago_touch_panels_600_sl:*:*:*:*:*:*:*:*", "matchCriteriaId": "C7995687-1BCD-454D-8546-52B80B5F22B0", "versionEndExcluding": "4.10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:codesys:control_rte_sl:*:*:*:*:*:*:*:*", "matchCriteriaId": "BAFC253D-32BC-4B9E-BDEE-CFFDCDBBE9FB", "versionEndExcluding": "3.5.19.20", "vulnerable": true}, {"criteria": "cpe:2.3:a:codesys:control_rte_sl_\\(for_beckhoff_cx\\):*:*:*:*:*:*:*:*", "matchCriteriaId": "297D8781-B331-40B2-BD34-0041A316D5C8", "versionEndExcluding": "3.5.19.20", "vulnerable": true}, {"criteria": "cpe:2.3:a:codesys:control_runtime_system_toolkit:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA76230A-C7E7-4223-BAB7-4CDE8F5CB5DB", "versionEndExcluding": "3.5.19.20", "vulnerable": true}, {"criteria": "cpe:2.3:a:codesys:control_win_sl:*:*:*:*:*:*:*:*", "matchCriteriaId": "09CC9B78-B3B4-4D49-9F23-DC5C80D52588", "versionEndExcluding": "3.5.19.20", "vulnerable": true}, {"criteria": "cpe:2.3:a:codesys:development_system:*:*:*:*:*:*:*:*", "matchCriteriaId": "ACDCB65A-1328-422D-99A0-1D0FFE9AC793", "versionEndExcluding": "3.5.19.20", "vulnerable": true}, {"criteria": "cpe:2.3:a:codesys:hmi:*:*:*:*:*:*:*:*", "matchCriteriaId": "81E2FE85-347D-42DE-9360-D5DB79AAD085", "versionEndExcluding": "3.5.19.20", "vulnerable": true}, {"criteria": "cpe:2.3:a:codesys:safety_sil2:*:*:*:*:*:*:*:*", "matchCriteriaId": "A7DF2418-1EC1-4672-941E-098EBC9BDF4F", "versionEndExcluding": "3.5.19.20", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "After successful authentication as a user in multiple Codesys products in multiple versions, specific crafted remote communication requests can cause the CmpAppBP component to overwrite a heap-based buffer, which can lead to a denial-of-service condition."}, {"lang": "es", "value": "Despu\u00e9s de una autenticaci\u00f3n exitosa como usuario en m\u00faltiples productos Codesys en m\u00faltiples versiones, solicitudes de comunicaci\u00f3n remota dise\u00f1adas espec\u00edficamente pueden hacer que el componente CmpAppBP sobrescriba un desbordamiento de b\u00fafer, lo que puede conducir a una condici\u00f3n de denegaci\u00f3n de servicio."}], "id": "CVE-2023-37557", "lastModified": "2023-08-08T15:43:40.077", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "info@cert.vde.com", "type": "Primary"}]}, "published": "2023-08-03T12:15:10.797", "references": [{"source": "info@cert.vde.com", "tags": ["Third Party Advisory"], "url": "https://cert.vde.com/en/advisories/VDE-2023-019/"}], "sourceIdentifier": "info@cert.vde.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "info@cert.vde.com", "type": "Primary"}]}