Advisory Details

September 16th, 2015

CODESYS Gateway Server Opcode 0x3f0 Heap Buffer Overflow Remote Code Execution Vulnerability

ZDI-15-442
ZDI-CAN-2786

CVE ID CVE-2015-6460
CVSS SCORE 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P
AFFECTED VENDORS Codesys
AFFECTED PRODUCTS Gateway Server
TREND MICRO CUSTOMER PROTECTION Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID ['19577']. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of CODESYS Gateway Server. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of the 0x03f0 opcode. An attacker can send a large buffer of data to the server which causes a heap buffer overflow. An attacker can leverage this vulnerability to execute code under the context of the process.

ADDITIONAL DETAILS Codesys has issued an update to correct this vulnerability. More details can be found at:
https://ics-cert.us-cert.gov/advisories/ICSA-15-258-02
DISCLOSURE TIMELINE
  • 2015-03-11 - Vulnerability reported to vendor
  • 2015-09-16 - Coordinated public release of advisory
CREDIT Josep Pi Rodriguez
BACK TO ADVISORIES