CVE-2023-37555: 
CODESYS Development System vulnerability analysis and mitigation

CVE-2023-37555 was disclosed on August 3, 2023, affecting multiple versions of CODESYS products. The vulnerability occurs when, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpAppBP component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is distinct from related issues CVE-2023-37552, CVE-2023-37553, CVE-2023-37554, and CVE-2023-37556 (VDE Advisory).

The vulnerability is classified with a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The weakness is categorized as Improper Input Validation (CWE-20). The vulnerability requires network access and low privileges, but no user interaction. It affects the CmpAppBP component's handling of network communication requests (VDE Advisory).

When successfully exploited, the vulnerability can lead to a denial-of-service condition by causing the CmpAppBP component to read from an invalid memory address. This can affect the availability of the CODESYS Control runtime system, which enables embedded or PC-based devices to function as programmable industrial controllers (VDE Advisory).

CODESYS GmbH strongly recommends using the online user management system, which is enforced by default as of version 3.5.17.0. For affected products, updates are available: version 3.5.19.20 for CODESYS Control RTE and related products, and version 4.10.0.0 (scheduled for October 2023) for CODESYS Control platform-specific variants. Updates can be obtained through the CODESYS Installer, CODESYS Store, or the CODESYS Update area (VDE Advisory).