Microsoft has disclosed fifteen vulnerabilities that could pose a major risk to various industries, including power plants.

Microsoft security researchers discovered several vulnerabilities in CODESYS V3, an SDK (software development kits), which is mainly used when developing and programming a PLC (Programmable controller). Such a device is an important link in the automation of various industries.

The danger

The vulnerabilities can pose a risk to the operational technology infrastructure. Especially attacks like one Remote Code Execution and a denial of service represent a real threat. Fourteen of the vulnerabilities have a CVSS score of 8.8 and one vulnerability has a score of 7.5.

CODESYS is compatible with over a thousand different devices from several hundred manufacturers. That means millions of devices use this solution. A DoS attack on such a device via a vulnerability in the SDK can crash a power plant. An RCE attack allows attackers to open a backdoor to manipulate the process or steal data.

Positive news

However, according to Microsoft, extensive knowledge of the CODESYS V3 protocol and the structures of the various services that use this protocol are required to exploit such a vulnerability. In addition, authentication is also required.

Microsoft researchers worked closely with CODESYS to create patches for the various vulnerabilities discovered last September. The company therefore recommends that CODESYS users carry out a security update as soon as possible in order to activate these patches.

Additionally

Microsoft also has some advice for users of CODESYS:

• Update the firmware of your devices to version 3.5.19.0 or higher and ask the manufacturer of these devices for patches
• Ensure that all critical devices – PLCs, routers, computers – are offline and segmented, whether they use CODESYS or not
• Restrict access to CODESYS devices to only authorized components
• If patching proves difficult, reduce risk through proper segmentation with unique usernames and passwords and reduce the number of users allowed to write code

Microsoft has also launched a tool on GitHub to help identify compromised devices. This allows users to securely interact with their CODESYS devices to determine if they are indeed vulnerable.

In addition, Microsoft Defender identifies and classifies devices with CODESYS and alerts the system when it detects unauthorized access or strange behavior in such a device. Defender also warns if an attacker wants to exploit a vulnerability.

Microsoft Defender is a solid system and received a solid update last month. However, companies should look a little further, because additional security never hurts.