Critical buffer overflow in CODESYS allows remote code execution


A critical heap-based buffer overflow flaw in a web server for the CODESYS automation software for engineering control systems could be exploited by a remote, unauthenticated attacker to crash a server or execute arbitrary code.

CODESYS is a software platform, developed by the German company Smart Software Solutions, used in the automation industry for programming controller applications.

The CODESYS web server is used by the CODESYS WebVisu to display CODESYS visualization screens in a common web browser.

The flaw tracked as CVE-2020-10245 is easy to exploit, it received a severity rate of 10 out of 10 on the CVSS v.2. A heap overflow condition is a type of buffer overflow, where a heap portion of memory could be overwritten with the content exceeding a buffer. Usually, the buffer was allocated using a routine such as malloc().

Read more…