CVE-2023-37559: 
CODESYS Development System vulnerability analysis and mitigation

CVE-2023-37559 is a vulnerability discovered in multiple Codesys products that affects the CmpAppForce component. The vulnerability was disclosed on August 3, 2023, and impacts various versions of CODESYS Control runtime systems, including Control for BeagleBone SL, Control for Linux SL, and several other variants. The vulnerability requires successful authentication as a user before it can be exploited (VDE Advisory).

The vulnerability stems from improper input validation (CWE-20) in the CmpAppForce component. When specific crafted network communication requests with inconsistent content are sent to the system, it can cause the component to read internally from an invalid address. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, and required low privileges (VDE Advisory).

The successful exploitation of this vulnerability can potentially lead to a denial-of-service condition in the affected systems. The impact is primarily focused on system availability, with no direct effect on confidentiality or integrity of the system (VDE Advisory).

CODESYS GmbH recommends using the online user management system, which provides protection against these security vulnerabilities. For permanent remediation, users should update to version 3.5.19.20 for products like CODESYS Control RTE, Control Win, and Development System V3. For other affected products such as Control for BeagleBone SL and Control for Linux SL, updates to version 4.10.0.0 (scheduled for October 2023) are recommended (VDE Advisory).