Yesterday afternoon DHS ICS-CERT published an advisory about a ‘use after free’ vulnerability in the CODESYS Gateway application. The vulnerability was reported by Nicholas Miles in a coordinated disclosure.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to conduct a DOS or execute arbitrary code. CODESYS has developed an update to mitigate this vulnerability and Miles has verified its efficacy.
The Advisory notes that Gateway application is used by multiple vendors in other products and many integrators use the application in developing integrated automation systems. The Advisory includes the following recommendation:
“Control systems vendors should review their products, identify those that incorporate the affected software, and take appropriate steps to update their products and notify customers.”