CVE-2023-37556: 
CODESYS Development System vulnerability analysis and mitigation

CVE-2023-37556 was disclosed on August 3, 2023, affecting multiple versions of Codesys products. The vulnerability allows an authenticated user to cause a denial-of-service condition by sending specifically crafted network communication requests with inconsistent content to the CmpAppBP component, which can lead to reading from an invalid internal address (VDE Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as an Improper Input Validation (CWE-20) issue. It requires network access and low-level privileges to exploit, with no user interaction needed (VDE Advisory).

When successfully exploited, the vulnerability can cause the CmpAppBP component to read from an invalid internal address, potentially leading to a denial-of-service condition. This affects the availability of the system but does not impact confidentiality or integrity (VDE Advisory).

CODESYS GmbH recommends using the online user management system, which is enforced by default as of version 3.5.17.0. For permanent remediation, users should update to version 3.5.19.20 for Control RTE products and Development System, or version 4.10.0.0 (scheduled for October 2023) for Control SL products (VDE Advisory).