CVE-2018-20025

Vulnerability

The vulnerability is a use of insufficiently random values in all CODESYS V3 products [1] versions prior to V3.5.14.0 [1][2]. The communication servers within these products generate random numbers that are not sufficiently random, which can be exploited in cryptographic or random number dependent contexts [1][2].

Exploitation

This vulnerability can be exploited remotely by an attacker with low skill level [2]. No authentication is required. The attacker can observe or manipulate communication to exploit the weakness in random number generation, potentially disguising the source of malicious communication packets [2].

Impact

Successful exploitation of this insufficient randomness weakness affects both the confidentiality and integrity of data stored on the device [2]. An attacker can disguise the source of malicious communication packets, potentially leading to man-in-the-middle attacks or other forms of data compromise [2].

Mitigation

The vendor released a patch in December 2018 [1]. Users are advised to update to CODESYS V3 version 3.5.14.0 or later [1][2]. As interim mitigations, CISA recommends using controllers and devices only in protected environments with firewalls and VPNs, and applying user management and access controls [2].