3S-Smart Software Solutions GmbH CODESYS V3 (ICSA-19-213-03)

The NCCIC has published an advisory on unverified ownership and uncontrolled memory allocation vulnerabilities in 3S-Smart Software Solutions GmbH CODESYS V3. All variants of a series of CODESYS V3 products in all versions prior to v3.5.14.20 that contain the CmpGateway component are affected, regardless of the CPU type or operating system. Successful exploitation of these vulnerabilities could allow a remote attacker to close existing communication channels or to take over an already established user session to send crafted packets to a PLC. 3S-Smart Software Solutions GmbH has released v3.5.14.20 and v3.5.15.0. Each of these releases solve the noted vulnerabilities issues. The NCCIC also advises of a series of measures for mitigating the vulnerabilities. Read the advisory at CISA.