TRUMPF: Multiple products prone to WIBU CodeMeter vulnerabilities

VDE-2020-039 (2020-10-27 11:28 UTC+0100)

Affected Vendors

TRUMPF Werkzeugmaschinen GmbH + Co. KG

Affected Products

  • TecZoneBend: from V18.02.R8 to V20.04.00
  • TruTopsBoost: from V06.00.23.00 to V11.02.22.01
  • TruTopsFab (inkl.TruTops Monitor): from V15.00.23.00 to V20.02.22.01
  • TruTopsPrint: from V00.06.00 to V01.00
  • TruTopsPrintMultilaserAssistant V01.02
  • ToPsCalculation: from V14.00 to V19.01
  • TruTops: from V08.00 to V11.05
  • TubeDesign: from V08.00 to V11.00
  • ProgrammingTube V1.0.1
  • TruTopsWeld from V7.0.198.241 to V7.2.95
  • TruTops Cell Classic from V08.01.00.00 to V09.04.00.01
  • TruTops Mark 3
  • Tops Unfold V05.03.00.00
  • TruTopsFab_Storage_SmallStore from V14.06.20 to V17.05.20
  • TrumpfLicenseExpert from V1.5.2 to V1.8.5

Vulnerability Type

Buffer Access with Incorrect Length Value (CWE-805)

Summary

A number of TRUMPF CAD/CAM software tools use the CodeMeter Runtime application from WIBU-SYSTEMS AG to manage licences. This application contains a number of vulnerabilities, which enable an attacker to prevent normal operation of CodeMeter, resulting in a Denial-of-Service and potentially execute arbitrary code.

Impact

The stated TRUMPF CAD/CAM products are supplied with the WIBU CodeMeter Runtime Software in versions that are known to contain a number of vulnerabilities. We can not confirm at this time whether the use of vulnerable CodeMeter exposes our products to the risks described in the CVEs mentioned above. Nevertheless, we are working to replace the vulnerable versions of CodeMeter with available fixed versions.

WIBU-200521-01 Improper Input Validation of Update Files in CodeMeter Runtime
CVE-2020-14513
CWE-20 Improper Input Validation
CVSSv3.1 base score 7.5
Description: Improper Input Validation of WibuRaU files in CodeMeter Runtime

WIBU-200521-02 CodeMeter Runtime WebSockets API: Missing Origin Validation
CVE-2020-14519
CWE-346 Origin Validation Error
CVSSv3.1 base score 8.1
Description: CodeMeter Runtime WebSockets API: Missing Origin Validation

WIBU-200521-03 CodeMeter Runtime DoS due to Buffer Access with Incorrect Length Value
CVE-2020-14509
CWE-805 Buffer Access with Incorrect Length Value
CVSSv3.1 base score 10.0
Description: CodeMeter Runtime DoS due to Buffer Access with Incorrect Length Value

WIBU-200521-04 CodeMeter Runtime API: Inadequate Encryption Strength and Authentication
CVE-2020-14517
CWE-326 Inadequate Encryption Strength and Authentication
CVSSv3.1 base score 9.4
Description: CodeMeter Runtime API: Inadequate Encryption Strength and Authentication

WIBU-200521-05 CodeMeter Runtime API: Heap Leak
CVE-2020-16233
CWE-404 Improper Resource Shutdown or Release
CVSSv3.1 base score 7.5
Description: CodeMeter Runtime API: Heap Leak

WIBU-200521-06 Improper Signature Verification of Update Files in CodeMeter Runtime
CVE-2020-14515
CWE-347 Improper Verification of Cryptographic Signature
CVSSv3.1 base score 7.4
Description: Improper Signature Verification of CmActLicense update files for CmActLicense Firm Code

For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html

Solution

  • Use the updated versions of the TRUMPF CAD/CAM products that will be available via your service channel shortly.
  • Until then, reduce internet usage on workstations with TRUMPF CAD/CAM products to a minimum.

Reported by

Sharon Brizinov and Tal Keren of Claroty reported these vulnerabilites to WIBU Systems.
Coordinated by CERT@VDE, CISA and BSI