|Article No°||Product Name||Affected Version(s)|
|1153509||E-Mobility Charging Suite license codes for EV Charging Suite Setup||<= 1.7.3|
|1153513||E-Mobility Charging Suite license codes for EV Charging Suite Setup||<= 1.7.3|
|1086929||E-Mobility Charging Suite license codes for EV Charging Suite Setup||<= 1.7.3|
|1153516||E-Mobility Charging Suite license codes for EV Charging Suite Setup||<= 1.7.3|
|1086891||E-Mobility Charging Suite license codes for EV Charging Suite Setup||<= 1.7.3|
|1153508||E-Mobility Charging Suite license codes for EV Charging Suite Setup||<= 1.7.3|
|1153520||E-Mobility Charging Suite license codes for EV Charging Suite Setup||<= 1.7.3|
|1086921||E-Mobility Charging Suite license codes for EV Charging Suite Setup||<= 1.7.3|
|1086889||E-Mobility Charging Suite license codes for EV Charging Suite Setup||<= 1.7.3|
|1086920||E-Mobility Charging Suite license codes for EV Charging Suite Setup||<= 1.7.3|
|2702889||FL Network Manager||<= 4.20|
|1046008||PC Worx Engineer||<= 2020.06|
|1165889||PLCnext Engineer EDU LIC||<= 2020.06|
Several vulnerabilities have been discovered in WIBU-SYSTEMS CodeMeter and published 08 September 2020. Phoenix Contact is only affected by a subset of these vulnerabilities.
Phoenix Contact products are not affected by vulnerabilities WIBU-200521-01 (CVE-2020- 14513), WIBU-200521-04 (CVE-2020-14517, and WIBU-200521-06 (CVE-2020-14515). For further Information please refer to WIBU Advisories directly at https://wibu.com/support/security-advisories.html.
Multiple memory corruption vulnerabilities exist in CodeMeter (All versions prior to 7.10) where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities.
An attacker could send a specially crafted packet that could have CodeMeter (All versions prior to 7.10) send back packets containing data from the heap.
This vulnerability allows an attacker to use the internal WebSockets API for CodeMeter (All versions prior to 7.00 are affected, including Version 7.0 or newer with the affected WebSockets API still enabled. This is especially relevant for systems or devices where a web browser is used to access a web server) via a specifically crafted Java Script payload, which may allow alteration or creation of license files for when combined with CVE-2020-14515.
|WIBU Security Advisory||CVE Number||Description||Phoenix Contact products according table above|
|WIBU- 200521-01||CVE-2020- 14513
|Improper Input Validation of WibuRaU files in CodeMeter Runtime||Products are not affected as Phoenix Contact is using a Universal Firm Code|
|WIBU- 200521-02||CVE-2020- 14519
|CodeMeter Runtime WebSockets API: Missing Origin Validation||Products are affected according WIBU Systems classification|
|WIBU- 200521-03||CVE-2020- 14509
|CodeMeter Runtime DoS due to Buffer Access with Incorrect Length Value||Products are affected according WIBU Systems classification|
|WIBU- 200521-04||CVE-2020- 14517
|CodeMeter Runtime API: Inadequate Encryption Strength and Authentication||Products are not affected as Phoenix Contact is using AxProtector|
|WIBU- 200521-05||CVE-2020- 16233
|CodeMeter Runtime API: Heap Leak||Products are affected according WIBU Systems classification|
|WIBU- 200521-06||CVE-2020- 14515
|Improper Signature Verification of CmActLicense update files for CmActLicense Firm Code||Products are not affected as Phoenix Contact is using a Universal Firm Code|
Phoenix Contact devices using CodeMeter embedded are not affected by these vulnerabilities. According to WIBU SYSTEMS Universal Firm Codes (UFC) used by Phoenix Contact are not affected.
Temporary Fix / Mitigation
For detailed information please refer to WIBU Systems original Advisories.
WIBU-SYSTEMS has released a new CodeMeter Runtime version 7.10 to fix the known vulnerabilities and may continue to release further updated versions in the future.
Phoenix Contact has released a new version of Activation Wizard 1.3.2, used for activation and deactivation of licenses, installing CodeMeter Runtime 7.10 on Windows PCs.
After installation of Activation Wizard 1.3.2 all installed products using CodeMeter Runtime will use the latest CodeMeter Runtime 7.10 version.
Activation Wizard 1.3.2 contains the official fix of WIBU-SYSTEMS for the known variabilities and is disabling the WebSockets API like recommended by WIBU-SYSTEMS.
We strongly recommend downloading and installing Activation Wizard 1.3.2 or higher as the CVSS Score of the vulnerabilities are critical and high. Activation Wizard is available via the download areas of PLCnext Engineer, FL Network Manager, or EV Charging Suite.
Since there can only be one installation of CodeMeter Runtime on a system, installing the latest version of CodeMeter Runtime as being included in Activation Wizard will fix the vulnerabilities for all other applications using CodeMeter Runtime as well.
Please check your products web site for further updates regularly or register to Phoenix Contact PSIRT information’s to receive latest updates about security advisories.
Phoenix Contact recommends following security best practices to protect systems from local and network attacks as described in the application note AH EN INDUSTRIAL SECURITY.
Sharon Brizinov and Tal Keren of Claroty
Coordinated by CERT@VDE, CISA and BSI