Share: Email | Twitter

ID

VDE-2021-043

Published

2021-08-31 09:02 (CEST)

Last update

2021-09-08 10:02 (CEST)

Vendor(s)

WAGO

Product(s)

All WAGO e!COCKPIT engineering software installation bundles < V1.10
All WAGO-I/O-Pro (CODESYS 2.3) engineering software installation versions 2.3.9.46, 2.3.9.47, 2.3.9.49, 2.3.9.53, 2.3.9.55, 2.3.9.61 and 2.3.9.66.

Summary

Multiple vulnerabilities were reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations. All currently existing e!COCKPIT installation bundles and WAGO-I/O-Pro (CODESYS 2.3) installation bundles with Version 2.3.9.46, 2.3.9.47, 2.3.9.49, 2.3.9.53, 2.3.9.55, 2.3.9.61 and 2.3.9.66 contain vulnerable versions of WIBU-SYSTEMS Codemeter.

Vulnerabilities



Weakness
Out-of-bounds Read (CWE-125)
Summary

A buffer over-read vulnerability exists in Wibu-Systems CodeMeter versions < 7.21a. An unauthenticated remote attacker can exploit this issue to disclose heap memory contents or crash the CodeMeter Runtime Server.

Weakness
Out-of-bounds Read (CWE-125)
Summary

A denial of service vulnerability exists in Wibu-Systems CodeMeter versions < 7.21a. An unauthenticated remote attacker can exploit this issue to crash the CodeMeter Runtime Server.

Impact

WAGO controllers and IO-Devices are not affected by WIBU-SYSTEMS Codemeter vulnerabilities. However, due to compatibility reasons to the 3S CODESYS Store, the e!COCKPIT and engineering software is bundled with a WIBU-SYSTEMS Codemeter installation.

Solution

We strongly encourage e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) users to update WIBU-SYSTEMS Codemeter by installing the latest available stand-alone WIBU-SYSTEMS Codemeter Version.

During the WIBU-SYSTEMS Codemeter installation process, refer to the recommended setup settings according to the WIBU-SYSTEMS advisories, a brief summary is provided in the chapter mitigation. Please check for updates and details that may not be included in this document.

WAGO will provide updated e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) setup routines with the latest WIBU-SYSTEMS Codemeter version in Q4/2021.

Mitigation

  1. Use general security best practices to protect systems from local and network attacks.
  2. Run CodeMeter as client only and use localhost as binding for the CodeMeter communication
  3. With binding to localhost an attack is no longer possible via remote network connection. The network server is disabled by default.
  4. If it is not possible to disable the network server, using a host-based firewall to restrict access to the CmLAN port can reduce the risk.
  5. The CmWAN server is disabled by default. Please check if CmWAN is enabled and disable the feature if it is not needed.
  6. Run the CmWAN server only behind a reverse proxy with user authentication to prevent attacks from unauthenticated users.
  7. The risk of an unauthenticated attacker can be further reduced by using a host-based firewall that only allows the reverse proxy to access the CmWAN port.

For further impact information and risk mitigation, please refer to the official WIBU-SYSTEMS Advisory Website at https://wibu.com/support/security-advisories.html.

Reported by

Coordination done by CERT@VDE.