Detections
Analytics

Rockwell Automation LP30/40/50 and BM40 Operator Interface Untrusted Pointer Dereference (CVE-2022-47393)

medium Tenable OT Security Plugin ID 501642

Synopsis

The remote OT asset is affected by a vulnerability.

Description

An authenticated, remote attacker may use a Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in the CmpFileTransfer Component of multiple versions of multiple CODESYS products to force a denial-of-service situation.

Wago PFC200 and Compact Controllers support Codesys V3.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Rockwell Automation recommend users using the affected software to apply the risk mitigations, if possible:

- Upgrade to CODESYS version 3.5.19.2 which has been released to mitigate these issues.
- Additionally, we encourage the user to implement our suggested security best practices to minimize risk of the vulnerability.

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Additional information can be found in the CODESYS Advisory.

See Also

http://www.nessus.org/u?2db205d9

http://www.nessus.org/u?7a14aee1

https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-07

Plugin Details

Severity: Medium

ID: 501642

File Name: tenable_ot_wago_CVE-2022-47393.nasl

Version: 1.4

Type: remote

Family: Tenable.ot

Published: 9/18/2023

Updated: 3/6/2026

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2022-47393

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:wago:751-9301_firmware, cpe:/o:wago:pfc200_firmware

Required KB Items: Tenable.ot/Wago

Exploit Ease: No known exploits are available

Patch Publication Date: 4/3/2019

Vulnerability Publication Date: 4/3/2019

Reference Information

CVE: CVE-2022-47393

CWE: 119