Microsoft cybersecurity experts have discovered a number of vulnerabilities in software development tools for programmable logic controllers (PLCs) – these devices are widely used in industry and hacking them has serious consequences. In particular, the exploitation of vulnerabilities threatens to shut down power plants.
Vladimir Tokarev, Microsoft Threat Analyst, described 15 errors in the CODESYS V3 SDK used for millions of PLCs in industrial environments around the world. Vulnerabilities are numbered CVE-2022-47379 Before CVE-2022-47393 with a rating of 7.5 to 10 out of 10. The package is used by more than 500 device manufacturers – PLCs are used in various fields, including robotics, data center power supplies, medical solutions and security systems, and commercial and residential building automation systems. These are many thousands of companies and institutions around the world.
Exploiting the discovered vulnerabilities requires authentication of the attacker, but this is unlikely to be an obstacle for cybercriminals who decide to attack infrastructure assets. Bugs allow remote code execution on compromised hardware and cause a denial of service. Microsoft already discovered vulnerabilities in September 2022 – developers using CODESYS are recommended to update their tools to version 18.104.22.168 as soon as possible. For additional protection, it is proposed to separate and segment the SPS and associated infrastructure from the Internet to reduce the likelihood of an attack.
In addition, Microsoft 365 Defender has released free software Tooldesigned to help engineers and administrators discover vulnerable and vulnerable devices in infrastructure.