Critical flaw found in software used by many industrial control systems

[InfoSec News <alerts () infosecnews org>]

http://www.computerworld.com/s/article/9232956/Critical_flaw_found_in_software_used_by_many_industrial_control_systems

By Lucian Constantin
IDG News Service
October 26, 2012

CoDeSys, a piece of software running on industrial control systems (ICS) 
from over 200 vendors contains a vulnerability that allows potential 
attackers to execute sensitive commands on the vulnerable devices 
without the need for authentication, according to a report from security 
consultancy Digital Bond.

The vulnerability was discovered by former Digital Bond researcher Reid 
Wightman as part of Project Basecamp, an ICS security research 
initiative launched by Digital Bond last year.

Described as a design issue, the vulnerability is located in the CoDeSys 
runtime, an application that runs on programmable logic controller (PLC) 
devices. PLCs are digital computers that control and automate 
electromechanical processes in power plants, oil and gas refineries, 
factories and other industrial or military facilities.

The CoDeSys runtime allows PLCs to load and execute so-called ladder 
logic files that were created using the CoDeSys development toolkit on a 
regular computer. These files contain instructions that affect the 
processes controlled by the PLCs.

According to the Digital Bond report, the CoDeSys runtime opens a TCP 
(Transmission Control Protocol) listening service that provides access 
to a command-line interface without the need for authentication.

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org