Post

Schneider Electric devices using CODESYS Runtime

Posted
By ictsec.pl
1 min read

Schneider Electric is aware of multiple vulnerabilities disclosed on CODESYS runtime system V3 communication server. Many vendors, including Schneider Electric, embed CODESYS in their offers. If successfully exploited, these vulnerabilities could result in a denial of service or, in some cases, in remote code execution on PacDrive controllers, Modicon Controllers M241 / M251 / M262 / M258 / LMC058 / LMC078 / M218, HMISCU, the Simulation Runtime SoftSPS from EcoStruxure Machine Expert and EcoStruxure Microgrid Operation products. Failure to apply the mitigations provided may result in denial of service and/or arbitrary remote code execution.

The following versions of Schneider Electric devices using CODESYS Runtime are affected:

  • HMISCU Controller (CVE-2022-4046, CVE-2023-28355, CVE-2022-47378, CVE-2022-47379, CVE-2022-47380, CVE-2022-47381, CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47386, CVE-2022-47387, CVE-2022-47388, CVE-2022-47389, CVE-2022-47390, CVE-2022-47385, CVE-2022-47392, CVE-2022-47393, CVE-2022-47391, CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37548, CVE-2023-37549, CVE-2023-37550, CVE-2023-37551, CVE-2023-37552, CVE-2023-37553, CVE-2023-37554, CVE-2023-37555, CVE-2023-37556, CVE-2023-37557, CVE-2023-37558, CVE-2023-37559, CVE-2023-3662, CVE-2023-3663, CVE-2023-3669, CVE-2023-3670).
  • Modicon Controller LMC078 (CVE-2022-4046, CVE-2023-28355).
  • Modicon Controller M241 (CVE-2022-4046, CVE-2023-28355, CVE-2022-47378, CVE-2022-47379, CVE-2022-47380, CVE-2022-47381, CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47386, CVE-2022-47387, CVE-2022-47388, CVE-2022-47389, CVE-2022-47390, CVE-2022-47385, CVE-2022-47392, CVE-2022-47393, CVE-2022-47391, CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37548, CVE-2023-37549, CVE-2023-37550, CVE-2023-37551, CVE-2023-37552, CVE-2023-37553, CVE-2023-37554, CVE-2023-37555, CVE-2023-37556, CVE-2023-37557, CVE-2023-37558, CVE-2023-37559, CVE-2023-3662, CVE-2023-3663, CVE-2023-3669, CVE-2023-3670).
  • PacDrive 3 Controllers: LMC Eco/Pro/Pro2 (CVE-2022-4046, CVE-2023-28355, CVE-2022-47378, CVE-2022-47379, CVE-2022-47380, CVE-2022-47381, CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47386, CVE-2022-47387, CVE-2022-47388, CVE-2022-47389, CVE-2022-47390, CVE-2022-47385, CVE-2022-47392, CVE-2022-47393, CVE-2022-47391, CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37548, CVE-2023-37549, CVE-2023-37550, CVE-2023-37551, CVE-2023-37552, CVE-2023-37553, CVE-2023-37554, CVE-2023-37555, CVE-2023-37556, CVE-2023-37557, CVE-2023-37558, CVE-2023-37559, CVE-2023-3662, CVE-2023-3663, CVE-2023-3669, CVE-2023-3670).

These vulnerabilities impact Critical Infrastructure Sectors including Commercial Facilities, Critical Manufacturing, and Energy, with deployments worldwide. Schneider Electric CPCERT reported these vulnerabilities to CISA.

To read the complete article see: CISA Advisory

VULNERABILITIES
CODESYS SCHNEIDER ELECTRIC ICS-CERT VULNERABILITIES
This post is licensed under CC BY 4.0 by the author.