CVE-2012-6069

Summary

The CoDeSys Runtime Toolkit’s file transfer functionality does not perform input validation, which allows an attacker to access files and directories outside the intended scope. This may allow an attacker to upload and download any file on the device. This could allow the attacker to affect the availability, integrity, and confidentiality of the device.

Affected Software

VendorProductVersion RangeStatus
3S-Smart Software SolutionsCODESYS Control Runtime embedded0 < 2.3.2.8affected
3S-Smart Software SolutionsCODESYS Control Runtime full0 < 2.4.7.40affected
3S-Smart Software SolutionsCODESYS Control RTE0 < 2.3.7.17affected
FestoCECX-X-C1 Modular Master Controller with CoDeSysAllaffected
FestoCECX-X-M1 Modular Controller with CoDeSys and SoftMotionAllaffected
3S-Smart Software SolutionsCoDeSys3.Xunaffected

Weaknesses

  • CWE-23: CWE-23

Workarounds

3S also recommends the usage of standard security methods like firewalls or virtual private network (VPN) access to prevent unauthorized access to the controller.

ADP Enrichment

CVE Program Container

Additional References

References