CVE-2019-9013 : Security Advisory and Response
Discover the impact of CVE-2019-9013, a vulnerability in CODESYS V3 products allowing non-TLS encryption, potentially exposing user credentials during transport. Learn how to mitigate and prevent this security risk.
A vulnerability has been identified in various versions of 3S-Smart's CODESYS V3 products, potentially exposing user credentials due to the use of non-TLS encryption.
Understanding CVE-2019-9013
What is CVE-2019-9013?
An issue in 3S-Smart CODESYS V3 products allows non-TLS encryption, leading to inadequate protection of user credentials during transportation.
The Impact of CVE-2019-9013
The vulnerability affects all versions of CODESYS V3 products containing the CmpUserMgr component, regardless of CPU type or operating system.
Technical Details of CVE-2019-9013
Vulnerability Description
- Non-TLS encryption in CODESYS V3 products exposes user credentials during transport.
Affected Systems and Versions
- CODESYS Control for BeagleBone
- CODESYS Control for emPC-A/iMX6
- CODESYS Control for IOT2000
- CODESYS Control for Linux
- CODESYS Control for PFC100
- CODESYS Control for PFC200
- CODESYS Control for Raspberry Pi
- CODESYS Control RTE V3
- CODESYS Control RTE V3 (for Beckhoff CX)
- CODESYS Control Win V3
- CODESYS V3 Simulation Runtime
- CODESYS Control V3 Runtime System Toolkit
- CODESYS HMI V3
Exploitation Mechanism
The vulnerability arises from the use of non-TLS encryption in CODESYS V3 products, allowing unauthorized access to user credentials.
Mitigation and Prevention
Immediate Steps to Take
- Implement TLS encryption for secure data transport.
- Monitor network traffic for any unauthorized access attempts.
Long-Term Security Practices
- Regularly update CODESYS V3 products to the latest secure versions.
- Conduct security audits to identify and address any vulnerabilities.
Patching and Updates
- Apply patches provided by 3S-Smart to address the encryption vulnerability.