PEPPERL+FUCHS/VMT Bildverarbeitungssysteme GmbH: VMT MSS and VMT IS - Several vulnerabilities in products utilizing WIBU SYSTEMS CodeMeter components

Several vulnerabilities have been discovered in the utilized component WIBU SYSTEMS CodeMeter Runtime.

VDE-2020-034 (2020-09-10 14:22 UTC+0100)

CVE Identifier

CVE-2020-14509

Severity

10.0 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Vendors

VMT Bildverarbeitungssysteme GmbH

Affected Products

VMT MSS Version 1.28.1 and previous, but only if CVB by STEMMER IMAGING AG or Halcon by MVTec GmbH are included.
VMT IS Version 7.x and previous, but only if WIBU SYSTEMS CodeMeter Runtime Version lower than 7.10 is installed.

Vulnerability Type

Buffer Access with Incorrect Length Value (CWE-805)

Summary

Several vulnerabilities have been discovered in the utilized component WIBU SYSTEMS CodeMeter Runtime.

For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html

WIBU-200521-01 Improper Input Validation of Update Files in CodeMeter Runtime
CVE-2020-14513
CWE-20 Improper Input Validation
CVSSv3.1 base score 7.5
Description: Improper Input Validation of WibuRaU files in CodeMeter Runtime

WIBU-200521-02 CodeMeter Runtime WebSockets API: Missing Origin Validation
CVE-2020-14519
CWE-346 Origin Validation Error
CVSSv3.1 base score 8.1
Description: CodeMeter Runtime WebSockets API: Missing Origin Validation

WIBU-200521-03 CodeMeter Runtime DoS due to Buffer Access with Incorrect Length Value
CVE-2020-14509
CWE-805 Buffer Access with Incorrect Length Value
CVSSv3.1 base score 10.0
Description: CodeMeter Runtime DoS due to Buffer Access with Incorrect Length Value

WIBU-200521-04 CodeMeter Runtime API: Inadequate Encryption Strength and Authentication
CVE-2020-14517
CWE-326 Inadequate Encryption Strength and Authentication
CVSSv3.1 base score 9.4
Description: CodeMeter Runtime API: Inadequate Encryption Strength and Authentication

WIBU-200521-05 CodeMeter Runtime API: Heap Leak
CVE-2020-16233
CWE-404 Improper Resource Shutdown or Release
CVSSv3.1 base score 7.5
Description: CodeMeter Runtime API: Heap Leak

WIBU-200521-06 Improper Signature Verification of Update Files in CodeMeter Runtime
CVE-2020-14515
CWE-347 Improper Verification of Cryptographic Signature
CVSSv3.1 base score 7.4
Description: Improper Signature Verification of CmActLicense update files for CmActLicense Firm Code

Impact

Pepperl+Fuchs analyzed and identified affected products.
Products are affected according to WIBU Systems classification.

Solution

For VMT MSS

Update to WIBU Systems CodeMeter Runtime 7.10 or newer.

For VMT IS

Please contact VMT GmbH to receive support for the product update process.

In general and without any update, this product can be operated in a secure local network that has no connection to an untrusted network, like internet or global corporate IT-net.

Reported by

Sharon Brizinov and Tal Keren of Claroty
WIBU SYSTEMS
Coordinated by CERT@VDE