Information contained in this news release is current as of the date of the press announcement, but may be subject to change without prior notice.
February 6, 2023
We Hitachi Industrial Equipment Systems Co., Ltd. are aware of public reports regarding a vulnerability in the CODESYS runtime which is applied to the following products and versions. No known public exploits specifically target this vulnerability, but there exist features in CODESYS runtime, which can potentially be used to access files outside the restricted working directory of the controller.
Vulnerability ID: CVE-2018-25048
Type: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS v3.1 base score: 8.8
For the communication with HX-CODESYS Development System, the implemented CODESYS protocol provides also access to the files or directories located underneath a restricted parent directory system of the controller. Depending on the configuration which the CODESYS runtime system is executed, all system files or only the files (including network shares) of the user context can be accessed. The vulnerability has been published by CODESYS GmbH and has already been fixed.
Name | Model Number | Software Version |
---|---|---|
HX series CPU module | HX-CP1S08/-0 | 3.5.16.25 or older |
HX-CP1H16/-0 | ||
HX-CP1S08M/-0 | ||
HX-CP1H16M/-0 | ||
HXC-CP1H16/-0 |
It could allow an unauthorized remote party to change system configuration files.
There are some countermeasures that can be taken by replacing the system configuration file. Please contact your local supplier for details.
All affected products shall be used only as described Safety Precautions in the manual. The following defensive measures are recommended in order to reduce the risk of exploitation of this vulnerability:
This fix will be applied to HX-CPU V3.5.16.26, which is currently scheduled for February 2023.
CODESYS is registered trademarks of CODESYS GmbH.
Revision | Description | Date |
---|---|---|
1.0 | Creation | February 1, 2023 |