- Loading
February 6, 2023Path traversal issue in IoT PAC Controller HX series CPU module (CVE-2018-25048)
We Hitachi Industrial Equipment Systems Co., Ltd. are aware of public reports regarding a vulnerability in the CODESYS runtime which is applied to the following products and versions. No known public exploits specifically target this vulnerability, but there exist features in CODESYS runtime, which can potentially be used to access files outside the restricted working directory of the controller.
Vulnerability Overview
Vulnerability ID: CVE-2018-25048
Type: CWE-22 (Improper Limitation of a
Pathname to a Restricted Directory ('Path Traversal'))
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS v3.1 base score:
8.8
Vulnerability Details
For the communication with HX-CODESYS Development System, the implemented CODESYS protocol provides also access to the files or directories located underneath a restricted parent directory system of the controller. Depending on the configuration which the CODESYS runtime system is executed, all system files or only the files (including network shares) of the user context can be accessed. The vulnerability has been published by CODESYS GmbH and has already been fixed.
Affected Products
| Name | Model Number | Software Version |
|---|---|---|
| HX series CPU module | HX-CP1S08/-0 | 3.5.16.25 or older |
| HX-CP1H16/-0 | ||
| HX-CP1S08M/-0 | ||
| HX-CP1H16M/-0 | ||
| HX-CP1H16M/-0 |
※Please refer to the manual how to check the firmware version. The manual is available for downloading from our website.
Threats by Vulnerability
It could allow an unauthorized remote party to change system configuration files.
Recommended Countermeasures
There are some countermeasures that can be taken by replacing the system configuration file. Please contact your local supplier for details.
Mitigation
All affected products shall be used only as described Safety Precautions in the manual. The following defensive measures are recommended in order to reduce the risk of exploitation of this vulnerability:
- Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
- Use firewalls to protect and separate the control system network from other networks
- Use VPN (Virtual Private Networks) tunnels if remote access is required
- Activate and apply user management and password features
- Limit the access to both development and control system by physical means, operating system features, etc.
- Protect both development and control system by using up to date virus detecting solutions
Fixed Version
This fix will be applied to HX-CPU V3.5.16.26, which is currently scheduled for February 2023.
References
CVE-2018-25048
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25048Open in new tab
Advisory 2018-04: Security update for CODESYS V2 and V3 runtime systems8
Trademarks
CODESYS is registered trademarks of CODESYS GmbH.
Change History
| Revision | Description | Date |
|---|---|---|
| 1.0 | Creation | February 1, 2023 |
- Information contained in this news release is current as of the date of the press announcement, but may be subject to change without prior notice.