- Solutions
- Cybersecurity
Cybersecurity:
Your Business Protected Against Attacks
With advances in communication technologies, machines and systems are becoming increasingly interconnected through the internet. In this context, protection against cyberattacks becomes essential to ensure security, data integrity, and the continuity of industrial operations.
Ask for a advisory
Do you want to implement your current project with us? We will be happy to advise you!
Prevention, identification, and resolution of vulnerabilities
The security features embedded in Altus products are constantly reviewed and updated to prevent potential vulnerabilities. However, in cases where a vulnerability is identified by external agents, we are committed to resolving these issues within a reasonable timeframe.
In our Cybersecurity Manual, we provide important information about security when using Altus products.
List of Security Advisories Published by Altus
These advisories provide essential information about known vulnerabilities, including possible workarounds and available security updates. It is up to the technical evaluation of the users of our products to determine if and when to implement the recommended updates.
If you detect a potential vulnerability that directly or indirectly affects an Altus product, please inform us via email at ouvidoria@altus.com.br.
Help keeping the high security in Altus' products
CVE-2022-30792
Firmware version with the corrected vulnerability: HX: 1.14.36.5, XP: 1.14.20.0, NX300x: 1.14.20.0, NL: 1.14.31.4, NX30x0: 1.14.7.0.
CVE Description: In CmpChannelServer of CODESYS V3 in multiple versions an uncontrolled ressource consumption allows an unauthorized attacker to block new communication channel connections. Existing connections are not affected.
CVE-2022-30791
Firmware version with the corrected vulnerability: HX: 1.14.36.5, XP: 1.14.20.0, NX300x: 1.14.20.0, NL: 1.14.31.4, NX30x0: 1.14.7.0.
CVE Description: In CmpBlkDrvTcp of CODESYS V3 in multiple versions an uncontrolled ressource consumption allows an unauthorized attacker to block new TCP connections. Existing connections are not affected.
CVE-2022-22515
Firmware version with the corrected vulnerability: HX: 1.12.32.4, XP (except 351 e 350): 1.12.5.3, 300x (except 3008): 1.12.5.3, 30×0: until 1.10.8.0.
CVE Description: A remote, authenticated attacker could utilize the control program of the CODESYS Control runtime system to use the vulnerability in order to read and modify the configuration file(s) of the affected products.
CVE-2022-22508
Firmware version with the corrected vulnerability: HX: 1.14.36.5, XP: 1.14.20.0, NX300x: 1.14.20.0, NL: 1.14.31.4 NX30x0: 1.14.7.0.
CVE Description: Improper Input Validation vulnerability in multiple CODESYS V3 products allows an authenticated remote attacker to block consecutive logins of a specific type.
CVE-2019-9012
Firmware version with the corrected vulnerability: HX: 1.9.4.0, XP: 1.8.5.0, NX3003: 1.8.11.0, NX3004 e 5: until 1.8.11.0, NX30x0: until 1.8.3.0
CVE Description: An issue was discovered in 3S-Smart CODESYS V3 products. A crafted communication request may cause uncontrolled memory allocations in the affected CODESYS products and may result in a denial-of-service condition. All variants of the following CODESYS V3 products in all versions prior to v3.5.14.20 that contain the CmpGateway component are affected.
CVE-2019-9010
Firmware version with the corrected vulnerability: HX: 1.9.4.0, XP: 1.8.5.0, NX3003: 1.8.11.0, NX3004 e 5: until 1.8.11.0, NX30x0: until 1.8.3.0
CVE Description: An issue was discovered in 3S-Smart CODESYS V3 products. The CODESYS Gateway does not correctly verify the ownership of a communication channel. All variants of the following CODESYS V3 products in all versions prior to v3.5.14.20 that contain the CmpGateway component are affected,
CVE-2018-25048
Firmware version with the corrected vulnerability: HX: 1.7.40.0, NX3004 e 5: until 1.7.17.0, NX30x0: until 1.7.0.8
CVE Description: The CODESYS runtime system in multiple versions allows an remote low privileged attacker to use a path traversal vulnerability to access and modify all system files as well as DoS the device.
CVE-2019-13542
Firmware version with the corrected vulnerability: XTORM: 1.7.58.0 e 1.7.40.0, XP (except 350, 351 e 340): 1.7.49.0, NX3003: 1.8.11.0, NX30x0: 1.8.3.0
CVE Description: In the CODESYS Development System multiple components in multiple versions transmit the passwords for the communication between clients and servers unprotected.
CVE-2022-4048
Software version with the corrected vulnerability: MTOOL 8500 3.60
CVE Description: Inadequate Encryption Strength in CODESYS Development System V3 versions prior to V3.5.18.40 allows an unauthenticated local attacker to access and manipulate code of the encrypted boot application.
CVE-2022-31805
Software version with the corrected vulnerability: MTOOL 8500 3.60
CVE Description: In the CODESYS Development System multiple components in multiple versions transmit the passwords for the communication between clients and servers unprotected.
CVE-2022-30792
Software version with the corrected vulnerability: MTOOL 8500 3.60
CVE Description: In CmpChannelServer of CODESYS V3 in multiple versions an uncontrolled ressource consumption allows an unauthorized attacker to block new communication channel connections. Existing connections are not affected.
CVE-2022-30791
Software version with the corrected vulnerability: MTOOL 8500 3.60
CVE Description: In CmpBlkDrvTcp of CODESYS V3 in multiple versions an uncontrolled ressource consumption allows an unauthorized attacker to block new TCP connections. Existing connections are not affected.
CVE-2022-22515
Software version with the corrected vulnerability: MTOOL 8500 3.40
CVE Description: A remote, authenticated attacker could utilize the control program of the CODESYS Control runtime system to use the vulnerability in order to read and modify the configuration file(s) of the affected products.
CVE-2021-29240
Software version with the corrected vulnerability: MTOOL 8500 3.40
CVE Description: The Package Manager of CODESYS Development System 3 before 3.5.17.0 does not check the validity of packages before installation and may be used to install CODESYS packages with malicious content.
CVE-2021-29239
Software version with the corrected vulnerability: MTOOL 8500 3.40
CVE Description: CODESYS Development System 3 before 3.5.17.0 displays or executes malicious documents or files embedded in libraries without first checking their validity.
CVE-2020-12068
Software version with the corrected vulnerability: MTOOL 8500 3.40
CVE Description: An issue was discovered in CODESYS Development System before 3.5.16.0. CODESYS WebVisu and CODESYS Remote TargetVisu are susceptible to privilege escalation.
CVE-2019-9012
Software version with the corrected vulnerability: MTOOL 8500 3.30
CVE Description: An issue was discovered in 3S-Smart CODESYS V3 products. A crafted communication request may cause uncontrolled memory allocations in the affected CODESYS products and may result in a denial-of-service condition. All variants of the following CODESYS V3 products in all versions prior to v3.5.14.20 that contain the CmpGateway component are affected, regardless of the CPU type or operating system.
CVE-2019-9010
Software version with the corrected vulnerability: MTOOL 8500 3.30
CVE Description: An issue was discovered in 3S-Smart CODESYS V3 products. The CODESYS Gateway does not correctly verify the ownership of a communication channel. All variants of the following CODESYS V3 products in all versions prior to v3.5.14.20 that contain the CmpGateway component are affected.
CVE-2021-36764
Software version with the corrected vulnerability: MTOOL 8500 3.40
CVE Description: In CODESYS Gateway V3 before 3.5.17.10, there is a NULL Pointer Dereference. Crafted communication requests may cause a Null pointer dereference in the affected CODESYS products and may result in a denial-of-service condition.
CVE-2021-29241
Software version with the corrected vulnerability: MTOOL 8500 3.40
CVE Description: CODESYS Gateway 3 before 3.5.16.70 has a NULL pointer dereference that may result in a denial of service (DoS).
CVE-2020-7052
Software version with the corrected vulnerability: MTOOL 8500 3.30
CVE Description: CODESYS Control V3, Gateway V3, and HMI V3 before 3.5.15.30 allow uncontrolled memory allocation which can result in a remote denial of service condition.
CVE-2019-5105
Software version with the corrected vulnerability: MTOOL 8500 3.40
CVE Description: An exploitable memory corruption vulnerability exists in the Name Service Client functionality of 3S-Smart Software Solutions CODESYS GatewayService. A specially crafted packet can cause a large memcpy, resulting in an access violation and termination of the process. An attacker can send a packet to a device running the GatewayService.exe to trigger this vulnerability. All variants of the CODESYS V3 products in all versions prior V3.5.16.10 containing the CmpRouter or CmpRouterEmbedded component are affected.
CVE-2022-1989
Software version with the corrected vulnerability: MTOOL 8500 3.60
CVE Description: All CODESYS Visualization versions before V4.2.0.0 generate a login dialog vulnerable to information exposure allowing a remote, unauthenticated attacker to enumerate valid users.
CVE-2020-12068
Software version with the corrected vulnerability: MTOOL 8500 3.40
CVE Description: An issue was discovered in CODESYS Development System before 3.5.16.0. CODESYS WebVisu and CODESYS Remote TargetVisu are susceptible to privilege escalation.
CVE-2018-25048
Software version with the corrected vulnerability: MTOOL 8500 3.30
CVE Description: The CODESYS runtime system in multiple versions allows an remote low privileged attacker to use a path traversal vulnerability to access and modify all system files as well as DoS the device.
