WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT (Update A)

UPDATE A, 2020-10-12: added affected product "WAGO-I/O-Pro (CODESYS 2.3) engineering software"

VDE-2020-032 (2020-09-09 07:23 UTC+0100)

Affected Vendors

WAGO

Affected Products

All WAGO e!COCKPIT engineering software installation bundles < V1.8

UPDATE A, 2020-10-12
All WAGO-I/O-Pro (CODESYS 2.3) engineering software installation versions 2.3.9.46, 2.3.9.47, 2.3.9.49, 2.3.9.53, 2.3.9.55 and 2.3.9.61.

WAGO controllers and IO-Devices are not affected by WIBU-SYSTEMS Codemeter vulnerabilities.

Vulnerability Type

BUFFER ACCESS WITH INCORRECT LENGTH VALUE (CWE-805)

Summary

Multiple vulnerabilties were reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT installation. All currently existing e!COCKPIT installation bundles contain vulnerable versions of WIBU-SYSTEMS Codemeter. 

Update A, 2020-10-12
WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations. All currently existing e!COCKPIT installation bundles and WAGO-I/O-Pro (CODESYS 2.3) installation bundles with Version 2.3.9.46, 2.3.9.47, 2.3.9.49, 2.3.9.53, 2.3.9.55 and 2.3.9.61 contain vulnerable versions of WIBU-SYSTEMS Codemeter.

WIBU-200521-01 Improper Input Validation of Update Files in CodeMeter Runtime
CVE-2020-14513
CWE-20 Improper Input Validation
CVSSv3.1 base score 7.5
https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-01.pdf

WIBU-200521-02 CodeMeter Runtime WebSockets API: Missing Origin Validation
CVE-2020-14519
CWE-346 Origin Validation Error
CVSSv3.1 base score 8.1
https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-02.pdf

WIBU-200521-03 CodeMeter Runtime DoS due to Buffer Access with Incorrect Length Value
CVE-2020-14509
CWE-805 Buffer Access with Incorrect Length Value
CVSSv3.1 base score 10.0
https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-03.pdf

WIBU-200521-04 CodeMeter Runtime API: Inadequate Encryption Strength and Authentication
CVE-2020-14517
CWE-326 Inadequate Encryption Strength and Authentication
CVSSv3.1 base score 9.4
https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-04.pdf

WIBU-200521-05 CodeMeter Runtime API: Heap Leak
CVE-2020-16233
CWE-404 Improper Resource Shutdown or Release
CVSSv3.1 base score 7.5
https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-05.pdf

WIBU-200521-06 Improper Signature Verification of Update Files in CodeMeter Runtime
CVE-2020-14515
CWE-347 Improper Verification of Cryptographic Signature
CVSSv3.1 base score 7.4
https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-06.pdf

Impact

WAGO controllers and IO-Devices are not affected by WIBU-SYSTEMS Codemeter vulnerabilities.
However, due to compatibility reasons to the 3S Codesys Store, the e!COCKPIT and engineering software is bundled with a WIBU-SYSTEMS Codemeter installation.

Vulnerability Characterization

Please refer to the official WIBU-SYSTEMS Advisories.
Website at https://www.wibu.com/support/security-advisories.html.

Update A, 2020-10-12
Website at https://www.codesys.com/security/security-reports.html (Advisory 2020-06)

Solution

We strongly encourage e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) users to update WIBU-SYSTEMS Codemeter by installing the latest available stand-alone WIBU-SYSTEMS Codemeter Version.
During the WIBU-SYSTEMS Codemeter installation process, refer to the recommended setup settings according to the WIBU-SYSTEMS advisories, a brief summary is provided in the chapter mitigation. Please check for updates and details that may not be included in this document.
WAGO will provide updated e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) setup routines with the latest WIBU-SYSTEMS Codemeter version in Q4/2020.

Mitigation

  1. Use general security best practices to protect systems from local and network attacks.
  2. Disable the WIBU-SYSTEMS CodeMeter Runtime WebSockets API.
  3. Run WIBU-SYSTEMS CodeMeter only as client and use localhost as binding for the WIBU-SYSTEMS CodeMeter communication. If you need to operate WIBU-SYSTEMS CodeMeter Runtime as Network License Server please make sure that it is operated in a secure environment.

For further impact information and risk mitigation, please refer to the official WIBU-SYSTEMS Advisory Website at https://www.wibu.com/support/security-advisories.html.
Further details on the corresponding CVEs can be obtained here:
https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-01.pdf
https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-02.pdf https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-03.pdf https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-04.pdf https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-05.pdf https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-06.pdf

Reported by

Coordination done by CERT@VDE.