CVE-2012-6068

Summary

The Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x does not require authentication, which allows remote attackers to execute commands via the command-line interface in the TCP listener service or transfer files via requests to the TCP listener service.

Affected Software

VendorProductVersion RangeStatus
3S-Smart Software SolutionsCODESYS Control Runtime embedded0 < 2.3.2.8affected
3S-Smart Software SolutionsCODESYS Control Runtime full0 < 2.4.7.40affected
3S-Smart Software SolutionsCODESYS Control RTE0 < 2.3.7.17affected
FestoCECX-X-C1 Modular Master Controller with CoDeSysAllaffected
FestoCECX-X-M1 Modular Controller with CoDeSys and SoftMotionAllaffected
3S-Smart Software SolutionsCoDeSys3.Xunaffected

Weaknesses

  • CWE-284: CWE-284

Workarounds

3S also recommends the usage of standard security methods like firewalls or virtual private network (VPN) access to prevent unauthorized access to the controller.

ADP Enrichment

CVE Program Container

Additional References

References