- Solutions
- Cybersecurity
Cybersecurity:
Your business protected against attacks
With advances in communication technologies, machines and systems are becoming increasingly interconnected through the internet. In this context, protection against cyberattacks becomes essential to ensure the security, data integrity, and continuity of industrial operations.
Request an assessment
Do you want to implement your current project with us? We will be happy to advise you!
Prevention, identification, and resolution of vulnerabilities
The security features embedded in Altus products are constantly reviewed and updated to prevent potential vulnerabilities. However, for cases where a vulnerability is identified by external agents, we are committed to resolving these issues within a reasonable timeframe.
In our Cybersecurity Manual, we offer important information regarding security with Altus products.
List of security advisories published by Altus
These advisories provide essential information about known vulnerabilities, including possible alternative solutions and available security updates. It is up to the technical assessment of the users of our products to determine if and when to implement the recommended updates.
If you detect a possible vulnerability that has a direct or indirect effect on an Altus product, please inform us via the email ouvidoria@newsite.altusautomation.com.
Help us keep Altus products as secure as possible
CVE-2022-30792
Firmware version with the vulnerability fixed: HX: 1.14.36.5, XP: 1.14.20.0, NX300x: 1.14.20.0, NL: 1.14.31.4, NX30x0: 1.14.7.0.
CVE Description: In CODESYS V3’s CmpChannelServer, across several versions, uncontrolled resource consumption allows an unauthorized attacker to block new communication channel connections. Existing connections are not affected.
CVE-2022-30791
Firmware version with the vulnerability fixed: HX: 1.14.36.5, XP: 1.14.20.0, NX300x: 1.14.20.0, NL: 1.14.31.4, NX30x0: 1.14.7.0.
CVE Description: In CODESYS V3’s CmpBlkDrvTcp, across several versions, uncontrolled resource consumption allows an unauthorized attacker to block new TCP connections. Existing connections are not affected.
CVE-2022-22515
Firmware version with the vulnerability fixed: HX: 1.12.32.4, XP (except 351 and 350): 1.12.5.3, 300x (except 3008): 1.12.5.3, 30×0: up to 1.10.8.0.
CVE Description: A remote and authenticated attacker could use the CODESYS Control runtime system control program to exploit the vulnerability in order to read and modify the configuration file(s) of the affected products.
CVE-2022-22508
Firmware version with the vulnerability fixed: HX: 1.14.36.5, XP: 1.14.20.0, NX300x: 1.14.20.0, NL: 1.14.31.4, NX30x0: 1.14.7.0.
CVE Description: An Improper Input Validation vulnerability in multiple CODESYS V3 products allows a remote and authenticated attacker to block consecutive logins of a specific type.
CVE-2019-9012
Firmware version with the vulnerability fixed: HX: 1.9.4.0, XP: 1.8.5.0, NX3003: 1.8.11.0, NX3004 and 5: up to 1.8.11.0, NX30x0: up to 1.8.3.0.
CVE Description: An issue was discovered in 3S-Smart CODESYS V3 products. A specially crafted communication request can cause uncontrolled memory allocations in the affected CODESYS products and result in a denial-of-service condition. All variants of the following CODESYS V3 products in all versions prior to v3.5.14.20 that contain the CmpGateway component are affected.
CVE-2019-9010
Firmware version with the vulnerability fixed: HX: 1.9.4.0, XP: 1.8.5.0, NX3003: 1.8.11.0, NX3004 and 5: up to 1.8.11.0, NX30x0: up to 1.8.3.0.
CVE Description: An issue was discovered in 3S-Smart CODESYS V3 products. The CODESYS Gateway does not correctly verify the ownership of a communication channel. All variants of the following CODESYS V3 products in all versions prior to v3.5.14.20 that contain the CmpGateway component are affected.
CVE-2018-25048
Firmware version with the vulnerability fixed: HX: 1.7.40.0, NX3004 and 5: up to 1.7.17.0, NX30x0: up to 1.7.0.8.
CVE Description: The CODESYS runtime system in several versions allows a remote attacker with low privileges to use a path traversal vulnerability to access and modify all system files, as well as cause a denial-of-service (DoS) attack on the device.
CVE-2019-13542
Firmware version with the vulnerability fixed: XTORM: 1.7.58.0 and 1.7.40.0, XP (except 350, 351, and 340): 1.7.49.0, NX3003: 1.8.11.0, NX30x0: 1.8.3.0.
CVE Description: In the CODESYS Development System, multiple components across several versions transmit passwords for communication between clients and servers in an unprotected manner.
CVE-2022-4048
Software version with the vulnerability fixed: MTOOL 8500 3.60
CVE Description: The “Inadequate Encryption Strength” security weakness in the CODESYS V3 Development System in versions prior to V3.5.18.40 allows an unauthenticated local attacker to access and manipulate the code of encrypted boot applications.
CVE-2022-31805
Software version with the vulnerability fixed: MTOOL 8500 3.60
CVE Description: In the CODESYS Development System, several components across multiple versions transmit passwords for communication between clients and servers without protection.
CVE-2022-30792
Software version with the vulnerability fixed: MTOOL 8500 3.60
CVE Description: In CODESYS V3’s CmpChannelServer, across several versions, uncontrolled resource consumption allows an unauthorized attacker to block new communication channel connections. Existing connections are not affected.
CVE-2022-30791
Software version with the vulnerability fixed: MTOOL 8500 3.60
CVE Description: In CODESYS V3’s CmpBlkDrvTcp, across several versions, uncontrolled resource consumption allows an unauthorized attacker to block new TCP connections. Existing connections are not affected.
CVE-2022-22515
Software version with the vulnerability fixed: MTOOL 8500 3.40
CVE Description: A remote and authenticated attacker could use the CODESYS Control runtime system control program to exploit the vulnerability and read or modify the configuration file(s) of the affected products.
CVE-2021-29240
Software version with the vulnerability fixed: MTOOL 8500 3.40
CVE Description: The CODESYS Development System 3 Package Manager in versions prior to 3.5.17.0 does not verify the validity of packages before installation, which could be used to install CODESYS packages with malicious content.
CVE-2021-29239
Software version with the vulnerability fixed: MTOOL 8500 3.40
CVE Description: CODESYS Development System 3, in versions prior to 3.5.17.0, displays or executes malicious documents or files embedded in libraries without prior verification of their validity.
CVE-2020-12068
Software version with the vulnerability fixed: MTOOL 8500 3.40
CVE Description: An issue was discovered in the CODESYS Development System in versions prior to 3.5.16.0. CODESYS WebVisu and CODESYS Remote TargetVisu are susceptible to privilege escalation.
CVE-2019-9012
Software version with the vulnerability fixed: MTOOL 8500 3.30
CVE Description: An issue was discovered in 3S-Smart CODESYS V3 products. A specially crafted communication request can cause uncontrolled memory allocations in the affected CODESYS products, which may result in a denial-of-service condition. All variants of the following CODESYS V3 products in all versions prior to v3.5.14.20 that contain the CmpGateway component are affected, regardless of the CPU type or operating system.
CVE-2019-9010
Software version with the vulnerability fixed: MTOOL 8500 3.30
CVE Description: An issue was discovered in 3S-Smart CODESYS V3 products. The CODESYS Gateway does not correctly verify the ownership of a communication channel. All variants of the following CODESYS V3 products in all versions prior to v3.5.14.20 that contain the CmpGateway component are affected.
CVE-2021-36764
Software version with the vulnerability fixed: MTOOL 8500 3.40
CVE Description: In CODESYS Gateway V3 in versions prior to 3.5.17.10, there is a NULL Pointer Dereference. Specially crafted communication requests can cause a null pointer dereference in the affected CODESYS products, which may result in a denial-of-service (DoS) condition.
CVE-2021-29241
Software version with the vulnerability fixed: MTOOL 8500 3.40
CVE Description: In CODESYS Gateway 3 in versions prior to 3.5.16.70, there is a NULL pointer dereference that can result in a denial-of-service (DoS) condition.
CVE-2020-7052
Software version with the vulnerability fixed: MTOOL 8500 3.30
CVE Description: CODESYS Control V3, Gateway V3, and HMI V3, in versions prior to 3.5.15.30, allow for uncontrolled memory allocation that can result in a remote denial-of-service (DoS) condition.
CVE-2019-5105
Software version with the vulnerability fixed: MTOOL 8500 3.40
CVE Description: An exploitable memory corruption vulnerability exists in the Name Service Client functionality of the 3S-Smart Software Solutions CODESYS GatewayService. A specially crafted packet can cause a large-scale memcpy, resulting in an access violation and process termination. An attacker can send a packet to a device running GatewayService.exe to trigger this vulnerability. All variants of CODESYS V3 products in all versions prior to V3.5.16.10 that contain the CmpRouter or CmpRouterEmbedded component are affected.
CVE-2022-1989
Software version with the vulnerability fixed: MTOOL 8500 3.60
CVE Description: All versions of CODESYS Visualization prior to V4.2.0.0 generate a login dialog vulnerable to information exposure, allowing a remote and unauthenticated attacker to enumerate valid users.
CVE-2020-12068
Software version with the vulnerability fixed: MTOOL 8500 3.40
CVE Description: An issue was discovered in the CODESYS Development System in versions prior to 3.5.16.0. CODESYS WebVisu and CODESYS Remote TargetVisu are susceptible to privilege escalation.
CVE-2018-25048
Software version with the vulnerability fixed: MTOOL 8500 3.30
CVE Description: The CODESYS runtime system in several versions allows a remote attacker with low privileges to use a path traversal vulnerability to access and modify all system files, as well as cause a denial-of-service (DoS) attack on the device.
