CODESYS Control V3 NULL Pointer Dereference Advisory

This document is a security advisory detailing a vulnerability in the CODESYS Control runtime system's CmpDevice component. The vulnerability allows unauthenticated attackers to cause a denial-of-service (DoS) condition through specially crafted communication requests, triggered by a NULL pointer dereference. The advisory specifies that only certain PLCs utilizing the CODESYS Runtime Toolkit are affected, particularly those running versions 3.5.21.10 and earlier, as well as versions 4.16.0.0 and earlier. The document outlines the impacted products, including various CODESYS Control versions. It also provides remediation steps, recommending updates to specific versions to mitigate the vulnerability. Additionally, it suggests mitigation strategies, such as restricting login authentication types and implementing best-practice security measures to protect industrial control systems. The advisory concludes with acknowledgments and further information for users seeking assistance.