CVE-2022-22518 : Security Advisory and Response

A bug in the CODESYS V3 CmpUserMgr component can lead to only partially applied security policies, resulting in enabled, anonymous access to components part of the security policy.

Understanding CVE-2022-22518

This vulnerability affects several CODESYS Control products with specific versions.

What is CVE-2022-22518?

The bug in the CmpUserMgr component of CODESYS V3 can cause security policies to be incompletely applied, potentially enabling unauthorized access.

The Impact of CVE-2022-22518

The vulnerability can allow for enabled, anonymous access to components covered by affected security policies, posing a risk to system integrity.

Technical Details of CVE-2022-22518

The vulnerability has a CVSS v3.1 base score of 6.5, categorizing it as a medium-severity issue with low confidentiality and integrity impacts.

Vulnerability Description

The bug in the CmpUserMgr component leads to partially applied security policies, which might grant unauthorized access to certain components.

Affected Systems and Versions

Multiple CODESYS Control products, including versions less than V4.5.0.0 and V3.5.18.0, are impacted by this vulnerability.

Exploitation Mechanism

Exploiting this vulnerability requires network access and does not need any special privileges or user interactions.

Mitigation and Prevention

Addressing CVE-2022-22518 requires immediate action and long-term security measures to safeguard potentially affected systems.

Immediate Steps to Take

Users are advised to update affected CODESYS products to versions beyond V4.5.0.0 and V3.5.18.0 to mitigate the vulnerability.

Long-Term Security Practices

Implementing robust security policies and monitoring access controls can help prevent similar vulnerabilities in the future.

Patching and Updates

Regularly check for security updates from CODESYS and apply patches promptly to maintain system security.