The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion do not require authentication for connections to certain TCP ports, which allows remote attackers to modify the configuration via a request to the debug service on port 4000 or delete log entries via a request to the log service on port 4001.
The information has been provided by Reid Wightman.
* CECX-X-C1 Modular Master Controller with CoDeSys, and
* CECX-X-M1 Modular Controller with CoDeSys and SoftMotion.
Reid Wightman discovered several vulnerabilities in the Festo CECX-X-M1 Modular Controller. These are:
* An FTP backdoor.
* Two unauthenticated ports (Port 4000/TCP debug service port and Port 4001/TCP log service port) that allow modification of memory and logging.
* All CoDeSys commands are executed without authentication because of two known vulnerabilities in the CoDeSys V2.3 runtime version.
This product is used industrywide as a programmable logic controller with inclusion of a multiaxis controller for automated assembly and automated manufacturing. Identified customers are in solar cell manufacturing, automobile assembly, general assembly and parts control, and airframe manufacturing where tolerances are particularly critical to end product operations. An attacker could change the tolerances of assembly and remove record of the change.
According to the Festo product web page, other products are using newer versions of CoDeSys software and may not be vulnerable to the CoDeSys vulnerability, but this has not been evaluated by the researcher.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.