ICS-CERT Publishes CODESYS Gateway Advisory

Yesterday afternoon DHS ICS-CERT published an advisory about a ‘use after free’ vulnerability in the CODESYS Gateway application. The vulnerability was reported by Nicholas Miles in a coordinated disclosure.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to conduct a DOS or execute arbitrary code. CODESYS has developed an update to mitigate this vulnerability and Miles has verified its efficacy.

The Advisory notes that Gateway application is used by multiple vendors in other products and many integrators use the application in developing integrated automation systems. The Advisory includes the following recommendation:

“Control systems vendors should review their products, identify those that incorporate the affected software, and take appropriate steps to update their products and notify customers.”

Readers might recognize that this is exactly the type situation that I had referred to in my recommendation on the Integrated Task Force Collaboration Community site. While CODESYS has probably notified the system vendors to whom they have sold this system, it is not clear that all of the system owners of integrator built systems would get notified of their exposure to this vulnerability.