Yesterday DHS ICS-CERT published a new advisory about a novel twist on an earlier CoDeSys advisory; no not the Wightman one from April, but the Luigi-Unuver one from January. That advisory identified, among other vulnerabilities, a stack-based overflow vulnerability based on Port 8080/TCP. The new advisory today identified a stack-based overflow vulnerability based on Port 80/TCP in the ABB AC500 PLC Webserver application that is based upon the CoDeSys Webserver.
The new advisory does not give credit for the identification of the vulnerability so one would assume that it came from ABB. It does note that there is a publicly available exploit code for the vulnerability; one would expect that it refers to the Luigi disclosure on the CoDeSys vulnerability.
Yesterday’s advisory notes that the ABB patch for this vulnerability was made available last December. This is interesting in that this is about the same time that the original Unuver Alert and shortly after the initial Luigi disclosure. It seems that ABB was faster replying to the CoDeSys vulnerability than the original manufacturer.
That makes one think about something that was said about the Wightman discovery of the other CoDeSys vulnerability. The DigitalBond blog by Wightman noted that:
“I mentioned at the beginning a success story. The tools do not work on at least one of the vendor’s products, who chooses to remain anonymous. The vendor has a security development lifecycle (SDL) that included threat modeling. They identified the threat of uploading rogue ladder logic and other malicious files, saw that this was not addressed by the CoDeSys runtime, and added a “security envelope” around the runtime.”
I don’t know who the anonymous vendor is, but this appears to be the same sort of forward thinking security effort that was apparently demonstrated by ABB in this instance. The only question is why did ABB disclose this issue to ICS-CERT at this time. Maybe they want some recognition for their security efforts.