CISA issues alert on vulnerabilities in Festo Compact Vision System products

Multiple Festo products, including the Compact Vision System, Control Block, Controller, and Operator Unit, exhibit vulnerabilities that permit unauthorized access and alteration of configuration data. These flaws arise from improper resource exposure and insecure default configurations, posing risks of unauthenticated device access and configuration modification.

The affected products encompass all versions of Festo Software Compact Vision System SBO-Q, various Control blocks such as CPX-CEC-C1 and CPX-CEC-M1 across Codesys V2 and V3, multiple Controller models including CECC-D and CPX-E-CEC variants, as well as operator units CDPX-X series. One identified vulnerability, CVE-2022-22515, involves exposure of resources to an incorrect sphere, allowing remote authenticated attackers to read and modify configuration files via the CODESYS Control runtime system control program. It carries a Common Vulnerability Scoring System (CVSS) v3.1 base score of 8.1. Another vulnerability, CVE-2022-31806, pertains to insecure initialization wherein password protection is disabled by default in Codesys V2 PLCWinNT and Runtime Toolkit 32 versions before V2.4.7.57, with no notification to enable it when no password is set, and has a CVSS v3.1 base score of 9.8.

Exploitation of these vulnerabilities enables attackers to access devices without authentication and change configuration files, potentially impacting device integrity and control.

To address these issues, Festo recommends applying mitigations including enabling password protection on controllers lacking it and utilizing online user management to restrict unauthorized code execution, while acknowledging certain operational restrictions such as suppression of start, stop, and debug commands. Password configuration files must be manually included in backups. No full patches are stated, only these specific workaround measures.

Advisory guidance from CISA emphasizes reducing network exposure for all control system devices to prevent internet accessibility, employing firewalls to isolate control system networks from business networks, and using secure remote access methods like updated Virtual Private Networks while acknowledging their limitations. Organizations are urged to conduct impact analysis and risk assessments before implementing defenses and to follow recommended industrial control system security practices available through official resources. Reporting suspected malicious activities to CISA for incident correlation is advised. Furthermore, users should guard against social engineering by avoiding unsolicited email links and attachments and follow provided best practice documents on recognizing phishing and email scams.