CVE-2019-18858 Festo CVE debrief

Who should care

OT/ICS operators using Festo Automation Suite, administrators of CODESYS-based control or runtime environments, and asset owners responsible for engineering workstations or distributed runtime systems that may include bundled CODESYS components.

Technical summary

The source advisory states that CODESYS 3 web server versions before 3.5.15.20 are affected by a buffer overflow. The advisory scope includes Festo Automation Suite installations that bundled CODESYS components, and it notes that starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled and must be installed separately. The supplied CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates a remotely reachable issue with severe impact potential if exploited.

Defensive priority

Critical

Recommended defensive actions

• Inventory Festo Automation Suite and CODESYS installations to identify affected versions and bundled components.
• Apply vendor updates so the CODESYS component is at or above version 3.5.15.20.
• Move Festo Automation Suite to 2.8.0.138 or later where applicable, and verify any separately installed CODESYS package is patched through official vendor channels.
• Follow the installation and update instructions published by CODESYS and Festo rather than using ad hoc package sources.
• Monitor CISA, Festo PSIRT, and CERT@VDE advisories for follow-on revisions or scope changes.

Evidence notes

CISA's CSAF advisory ICSA-26-076-01 republishes the Festo SE & Co. KG advisory FSA-202601 and directly states the vulnerable component as 'CODESYS 3 web server before 3.5.15.20.' The source metadata also says that from Festo Automation Suite 2.8.0.138 onward, CODESYS is no longer bundled and must be installed separately. The prompt's vendor mapping is low-confidence and should be reviewed against the Festo/CERT@VDE references.

Official resources