3S-Smart Software Solutions GmbH CODESYS V3 (Update A) (ICSA-19-213-04)

May 14, 2020

CISA has updated this advisory with additional details on mitigation measures. Read the advisory at CISA.

August 6, 2019

The NCCIC has published an advisory on an insufficiently protected credentials vulnerability in 3S-Smart Software Solutions GmbH CODESYS V3. All variants of a series of CODESYS V3 products in all versions prior to v3.5.14.20 that contain the CmpGateway component are affected, regardless of the CPU type or operating system. Successful exploitation of this vulnerability could allow for an attacker with access to PLC traffic to obtain user credentials. 3S-Smart Software Solutions GmbH reports this vulnerability will be corrected by Version 3.5.16.0, which is expected to be released February 2020. As long as no update is available, 3S-Smart Software Solutions GmbH strongly recommends activating and using encryption of online communication whenever possible. The encrypted communication protects the password transmission by a TLS based encryption, independent of the weak password encryption affected here. The NCCIC also advises of a series of measures for mitigating the vulnerability. Read the advisory at CISA.