CVE-2023-37552: 
CODESYS Development System vulnerability analysis and mitigation

CVE-2023-37552 affects multiple versions of Codesys products, discovered in August 2023. The vulnerability exists in the CmpAppBP component where specific crafted network communication requests with inconsistent content can cause the component to read internally from an invalid address after successful user authentication. This vulnerability is distinct from related issues CVE-2023-37553, CVE-2023-37554, CVE-2023-37555, and CVE-2023-37556 (VDE Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-20 (Improper Input Validation). It affects the CmpAppBP component's handling of network communication requests, where malformed content can trigger invalid memory address reads (NVD).

When successfully exploited, this vulnerability can lead to a denial-of-service condition in the affected Codesys products. The impact is primarily on system availability, with no direct effect on confidentiality or integrity (VDE Advisory).

CODESYS GmbH recommends using the online user management system, which is enforced by default as of version 3.5.17.0. For permanent remediation, users should update to version 3.5.19.20 for Control RTE products and Development System V3, or version 4.10.0.0 (scheduled for October 2023) for Control SL products. The updates can be obtained through the CODESYS Installer or CODESYS Store (VDE Advisory).

The vulnerability was reported by Vladimir Tokarev from CPS Research, Microsoft Threat Intelligence Community, with coordination handled by CERT@VDE (VDE Advisory).