PEPPERL+FUCHS/VMT Bildverarbeitungssysteme GmbH: VMT MSS and VMT IS - Several vulnerabilities in products utilizing WIBU SYSTEMS CodeMeter components
VDE-2020-034 (2020-09-10 14:22 UTC+0100)
CVE Identifier
CVE-2020-14509Affected Vendors
VMT Bildverarbeitungssysteme GmbH
Affected Products
- VMT MSS Version 1.28.1 and previous, but only if CVB by STEMMER IMAGING AG or Halcon by MVTec GmbH are included.
- VMT IS Version 7.x and previous, but only if WIBU SYSTEMS CodeMeter Runtime Version lower than 7.10 is installed.
Vulnerability Type
Buffer Access with Incorrect Length Value (CWE-805)
Summary
Several vulnerabilities have been discovered in the utilized component WIBU SYSTEMS CodeMeter Runtime.
For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html
WIBU-200521-01 Improper Input Validation of Update Files in CodeMeter Runtime
CVE-2020-14513
CWE-20 Improper Input Validation
CVSSv3.1 base score 7.5
Description: Improper Input Validation of WibuRaU files in CodeMeter Runtime
WIBU-200521-02 CodeMeter Runtime WebSockets API: Missing Origin Validation
CVE-2020-14519
CWE-346 Origin Validation Error
CVSSv3.1 base score 8.1
Description: CodeMeter Runtime WebSockets API: Missing Origin Validation
WIBU-200521-03 CodeMeter Runtime DoS due to Buffer Access with Incorrect Length Value
CVE-2020-14509
CWE-805 Buffer Access with Incorrect Length Value
CVSSv3.1 base score 10.0
Description: CodeMeter Runtime DoS due to Buffer Access with Incorrect Length Value
WIBU-200521-04 CodeMeter Runtime API: Inadequate Encryption Strength and Authentication
CVE-2020-14517
CWE-326 Inadequate Encryption Strength and Authentication
CVSSv3.1 base score 9.4
Description: CodeMeter Runtime API: Inadequate Encryption Strength and Authentication
WIBU-200521-05 CodeMeter Runtime API: Heap Leak
CVE-2020-16233
CWE-404 Improper Resource Shutdown or Release
CVSSv3.1 base score 7.5
Description: CodeMeter Runtime API: Heap Leak
WIBU-200521-06 Improper Signature Verification of Update Files in CodeMeter Runtime
CVE-2020-14515
CWE-347 Improper Verification of Cryptographic Signature
CVSSv3.1 base score 7.4
Description: Improper Signature Verification of CmActLicense update files for CmActLicense Firm Code
Impact
Pepperl+Fuchs analyzed and identified affected products.
Products are affected according to WIBU Systems classification.
Solution
For VMT MSS
Update to WIBU Systems CodeMeter Runtime 7.10 or newer.
For VMT IS
Please contact VMT GmbH to receive support for the product update process.
In general and without any update, this product can be operated in a secure local network that has no connection to an untrusted network, like internet or global corporate IT-net.
Reported by
Sharon Brizinov and Tal Keren of Claroty
WIBU SYSTEMS
Coordinated by CERT@VDE