PILZ: Multiple products prone to WIBU CodeMeter vulnerabilities

Multiple PILZ products are prone to WIBU SYSTEMS CodeMeter Vulnerabilities.

VDE-2020-033 (2020-09-10 14:18 UTC+0100)

Affected Vendors

PILZ

Affected Products

  • PAS4000 Software: all versions up to 1.21.1
  • PASvisu Software: all versions up to 1.9.0
  • PASloto Software: all versions up to 1.1.3
  • PNOZsigma Configurator Software: all versions up to 1.3.0
  • Live Video Server Software: all versions up to 1.1.0
  • SafetyEYE Configurator Software: from version 3.0.0 up to 3.0.1
  • CODESYS DevSys: all versions up to V3 3.5.12

Vulnerability Type

BUFFER ACCESS WITH INCORRECT LENGTH VALUE (CWE-805)

Summary

A number of Pilz software tools use the CodeMeter Runtime application from WIBU-SYS- TEMS AG to manage licences. This application contains a number of vulnerabilities, which enable an attacker to change and falsify a licence file, prevent normal operation of Code- Meter (Denial-of-Service) and potentially execute arbitrary code.

Impact

Update: Some of the links to the Wibu advisories are fixed

The stated Pilz products are supplied with the WIBU CodeMeter Runtime Software in Ver- sions lower than v6.90, which contain a number of vulnerabilities. One of the vulnerabilities enables further vulnerabilities to be exploited via the network.

In detail the vulnerabilities are as follows:

WIBU-200521-01 Improper Input Validation of Update Files in CodeMeter Runtime
CVE-2020-14513
CWE-20 Improper Input Validation
CVSSv3.1 base score 7.5
https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-01.pdf

WIBU-200521-02 CodeMeter Runtime WebSockets API: Missing Origin Validation
CVE-2020-14519
CWE-346 Origin Validation Error
CVSSv3.1 base score 8.1
https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-02.pdf

WIBU-200521-03 CodeMeter Runtime DoS due to Buffer Access with Incorrect Length Value
CVE-2020-14509
CWE-805 Buffer Access with Incorrect Length Value
CVSSv3.1 base score 10.0
https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-03.pdf

WIBU-200521-04 CodeMeter Runtime API: Inadequate Encryption Strength and Authentication
CVE-2020-14517
CWE-326 Inadequate Encryption Strength and Authentication
CVSSv3.1 base score 9.4
https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-04.pdf

WIBU-200521-05 CodeMeter Runtime API: Heap Leak
CVE-2020-16233
CWE-404 Improper Resource Shutdown or Release
CVSSv3.1 base score 7.5
https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-05.pdf

WIBU-200521-06 Improper Signature Verification of Update Files in CodeMeter Runtime
CVE-2020-14515
CWE-347 Improper Verification of Cryptographic Signature
CVSSv3.1 base score 7.4
https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521- 06.pdf

Solution

  • Use the current Version 7.10 of the CodeMeter Runtime, available via the manufacturer's website. https://www.wibu.com/de/support/anwendersoftware/anwendersoftware.html
  • Only use the CodeMeter Runtime as Client. The software tools named under affected products use the CodeMeter Runtime as Client in their default setting.
  • Pilz also recommends using a local firewall to limit unwanted access to the network ser- vices of the device with CodeMeter Runtime installed.

Reported by

Sharon Brizinov and Tal Keren of Claroty
WIBU Systems
Coordinated by CERT@VDE, CISA and BSI