CODESYS web server buffer overflow CVE-2019-18858

By

CODESYS
CODESYS is a development environment for programming controller applications.

CODESYS WebVisu
The CODESYS web server is used by the CODESYS WebVisu to display CODESYS visualization screens in a web browser. With a controller, equipped with the CODESYS WebVisu you can comfortably visualize your CODESYS screens optimized in a web browser, whenever and wherever you want.

The Vulnerability
CODESYS 3 web server before 3.5.15.20, as distributed with CODESYS Control runtime systems, has a Buffer Overflow. (CVE-2019-18858)
A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. Writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the execution of malicious code.
Specially crafted requests to the CODESYS WebVisu server can lead to heap buffer overflow. Further this could crash the web server, lead to a denial-of-service condition or may be utilized for remote code execution. As the web server is part of the CODESYS runtime system, this may result in unforeseen behavior of the complete runtime system.
A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to the target web server. Successful exploitation results in arbitrary code execution in the security context of the process.

Like in the case below, the remote attacker can POST to the WebVsuV3 url containing a special header followed by a long payload(which can be malicious).

The PoC is publically available here https://github.com/tenable/poc/blob/master/codesys/codesys_v3_webserver_heap_overflow.py

Mitigation
Upgrading the CODESYS 3 web server to version higher than 3.5.15.20 will mitigate the risk .

SonicWALL Capture Labs Threat Research team provides protection against this threat via following signatures:
IPS 14673 CoDeSys CmpWebServer Buffer Overflow 2
IPS 14674 CoDeSys CmpWebServer Buffer Overflow 3

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.