

Researchers
have
disclosed
details
of
three
new
security
vulnerabilities
affecting
operational
technology
(OT)
products
from
CODESYS
and
Festo
that
could
lead
to
source
code
tampering
and
denial-of-service
(DoS).
The
vulnerabilities,
reported
by
Forescout
Vedere
Labs,
are
the
latest
in
a
long
list
of
flaws
collectively
tracked
under
the
name
OT:ICEFALL.
“These
issues
exemplify
either
an
insecure-by-design
approach
—
which
was
usual
at
the
time
the
products
were
launched
–
where
manufacturers
include
dangerous
functions
that
can
be
accessed
with
no
authentication
or
a
subpar
implementation
of
security
controls,
such
as
cryptography,”
the
researchers
said.
The
most
critical
of
the
flaws
is
CVE-2022-3270
(CVSS
score:
9.8),
a
critical
vulnerability
that
affects
Festo
automation
controllers
using
the
Festo
Generic
Multicast
(FGMC)
protocol
to
reboot
the
devices
without
requiring
any
authentication
and
cause
a
denial
of
service
(DoS)
condition.
Another
DoS
shortcoming
in
Festo
controllers
(CVE-2022-3079,
CVSS
score:
7.5)
relates
to
a
case
of
unauthenticated,
remote
access
to
an
undocumented
web
page
(“cec-reboot.php”)
that
could
be
exploited
by
an
attacker
with
network
access
to
Festo
CPX-CEC-C1
and
CPX-CMXX
PLCs.
The
third
issue,
on
the
other
hand,
concerns
the
use
of
weak
cryptography
in
the
CODESYS
V3
runtime
environment
to
secure
download
code
and
boot
applications
(CVE-2022-4048,
CVSS
score:
7.7),
which
could
be
abused
by
a
bad
actor
to
decrypt
and
manipulate
the
source
code,
thereby
undermining
confidentiality
and
integrity
protections.
Forescout
said
it
also
identified
two
known
CODESYS
bugs
impacting
Festo
CPX-CEC-C1
controllers
(CVE-2022-31806
and
CVE-2022-22515)
that
stem
from
an
unsafe
configuration
in
the
Control
runtime
environment,
and
could
lead
to
a
denial-of-service
sans
authentication.
“This
is
yet
another
example
of
a
supply
chain
issue
where
a
vulnerability
has
not
been
disclosed
for
all
the
products
it
affects,”
the
researchers
said.
To
mitigate
potential
threats,
organizations
are
recommended
to
discover
and
inventory
vulnerable
devices,
enforce
appropriate
network
segmentation
controls,
and
monitor
network
traffic
for
anomalous
activity.