CVE-2019-9013

Name of the Vulnerable Software and Affected Versions 3S-Smart CODESYS V3 products versions containing the CmpUserMgr component CODESYS Control for BeagleBone versions containing the CmpUserMgr component CODESYS Control for emPC-A/iMX6 versions containing the CmpUserMgr component CODESYS Control for IOT2000 versions containing the CmpUserMgr component CODESYS Control for Linux versions containing the CmpUserMgr component CODESYS Control for PFC100 versions containing the CmpUserMgr component CODESYS Control for PFC200 versions containing the CmpUserMgr component CODESYS Control for Raspberry Pi versions containing the CmpUserMgr component CODESYS Control RTE V3 versions containing the CmpUserMgr component CODESYS Control RTE V3 (for Beckhoff CX) versions containing the CmpUserMgr component CODESYS Control Win V3 versions containing the CmpUserMgr component CODESYS V3 Simulation Runtime versions containing the CmpUserMgr component CODESYS Control V3 Runtime System Toolkit versions containing the CmpUserMgr component CODESYS HMI V3 versions containing the CmpUserMgr component

Description The issue is related to the use of non-TLS based encryption in the CmpUserMgr component of CODESYS V3 products, which results in user credentials being insufficiently protected during transport. This could allow a remote attacker to gain unauthorized access to protected information. Authentication is needed for exploitation, but there are cases where this requirement could be bypassed.

Recommendations For all versions of 3S-Smart CODESYS V3 products containing the CmpUserMgr component, consider disabling the CmpUserMgr component until a patch is available. For all versions of CODESYS Control for BeagleBone containing the CmpUserMgr component, consider disabling the CmpUserMgr component until a patch is available. For all versions of CODESYS Control for emPC-A/iMX6 containing the CmpUserMgr component, consider disabling the CmpUserMgr component until a patch is available. For all versions of CODESYS Control for IOT2000 containing the CmpUserMgr component, consider disabling the CmpUserMgr component until a patch is available. For all versions of CODESYS Control for Linux containing the CmpUserMgr component, consider disabling the CmpUserMgr component until a patch is available. For all versions of CODESYS Control for PFC100 containing the CmpUserMgr component, consider disabling the CmpUserMgr component until a patch is available. For all versions of CODESYS Control for PFC200 containing the CmpUserMgr component, consider disabling the CmpUserMgr component until a patch is available. For all versions of CODESYS Control for Raspberry Pi containing the CmpUserMgr component, consider disabling the CmpUserMgr component until a patch is available. For all versions of CODESYS Control RTE V3 containing the CmpUserMgr component, consider disabling the CmpUserMgr component until a patch is available. For all versions of CODESYS Control RTE V3 (for Beckhoff CX) containing the CmpUserMgr component, consider disabling the CmpUserMgr component until a patch is available. For all versions of CODESYS Control Win V3 containing the CmpUserMgr component, consider disabling the CmpUserMgr component until a patch is available. For all versions of CODESYS V3 Simulation Runtime containing the CmpUserMgr component, consider disabling the CmpUserMgr component until a patch is available. For all versions of CODESYS Control V3 Runtime System Toolkit containing the CmpUserMgr component, consider disabling the CmpUserMgr component until a patch is available. For all versions of CODESYS HMI V3 containing the CmpUserMgr component, consider disabling the CmpUserMgr component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.