News Releases

Information contained in this news release is current as of the date of the press announcement, but may be subject to change without prior notice.

February 6, 2023

Path traversal issue in IoT PAC Controller HX series CPU module (CVE-2018-25048)

We Hitachi Industrial Equipment Systems Co., Ltd. are aware of public reports regarding a vulnerability in the CODESYS runtime which is applied to the following products and versions. No known public exploits specifically target this vulnerability, but there exist features in CODESYS runtime, which can potentially be used to access files outside the restricted working directory of the controller.

Vulnerability Overview

Vulnerability ID: CVE-2018-25048
Type: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS v3.1 base score: 8.8

Vulnerability Details

For the communication with HX-CODESYS Development System, the implemented CODESYS protocol provides also access to the files or directories located underneath a restricted parent directory system of the controller. Depending on the configuration which the CODESYS runtime system is executed, all system files or only the files (including network shares) of the user context can be accessed. The vulnerability has been published by CODESYS GmbH and has already been fixed.

Affected Products

Name	Model Number	Software Version
HX series CPU module	HX-CP1S08/-0	3.5.16.25 or older
	HX-CP1H16/-0
	HX-CP1S08M/-0
	HX-CP1H16M/-0
	HXC-CP1H16/-0

*: Please refer to the manual how to check the firmware version. The manual is available for downloading from our website.

Threats by Vulnerability

It could allow an unauthorized remote party to change system configuration files.

Recommended Countermeasures

There are some countermeasures that can be taken by replacing the system configuration file. Please contact your local supplier for details.

Mitigation

All affected products shall be used only as described Safety Precautions in the manual. The following defensive measures are recommended in order to reduce the risk of exploitation of this vulnerability:

Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
Use firewalls to protect and separate the control system network from other networks
Use VPN (Virtual Private Networks) tunnels if remote access is required
Activate and apply user management and password features
Limit the access to both development and control system by physical means, operating system features, etc.
Protect both development and control system by using up to date virus detecting solutions

Fixed Version

This fix will be applied to HX-CPU V3.5.16.26, which is currently scheduled for February 2023.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25048(Open in a new window)

https://customers.codesys.com/fileadmin/data/customers/security/2018/Advisory2018-04_CDS-59017.pdf(Open in a new window)

Trademarks

CODESYS is registered trademarks of CODESYS GmbH.

Change History

Revision	Description	Date
1.0	Creation	February 1, 2023

Page top