CVE-2024-6876 CODESYS GmbH CVE debrief

Who should care

Industrial control system operators, OT security teams, and engineers using CODESYS development environments with OSCAT Basic Library should prioritize this update. Organizations with PLCs running affected library versions in production environments face risk of service disruption and limited data exposure from local access.

Technical summary

The OSCAT Basic Library contains an out-of-bounds read vulnerability in the MONTH_TO_STRING function. A local, unprivileged attacker can exploit this to read limited internal PLC memory, potentially causing information disclosure or denial of service through application crash. The vulnerability stems from insufficient input validation, specifically allowing negative values to trigger the out-of-bounds access. Attack vector is local (AV:L) with low attack complexity (AC:L) and no privileges required (PR:N).

Defensive priority

medium

Recommended defensive actions

• Update OSCAT Basic Library to version 3.3.5.0
• Adjust the library version in CODESYS Library Manager to 3.3.5.0
• Perform download or online change to update the PLC application
• Rebuild and download the boot application to ensure persistence
• If unable to update, validate all input values before passing to affected functions and block negative values as MONTH_TO_STRING parameters
• Review CERT@VDE advisory VDE-2024-046 for additional technical details

Evidence notes

Vulnerability details and remediation guidance are derived from CISA ICS Advisory ICSA-24-326-02, which references CERT@VDE advisory VDE-2024-046. The advisory confirms the out-of-bounds read vulnerability in the OSCAT Basic Library's MONTH_TO_STRING function and provides specific update and mitigation instructions.

Official resources