All WAGO e!COCKPIT engineering software installation bundles < V1.10
All WAGO-I/O-Pro (CODESYS 2.3) engineering software installation versions 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206 and 220.127.116.11.
Multiple vulnerabilities were reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations. All currently existing e!COCKPIT installation bundles and WAGO-I/O-Pro (CODESYS 2.3) installation bundles with Version 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11 and 18.104.22.168 contain vulnerable versions of WIBU-SYSTEMS Codemeter.
A buffer over-read vulnerability exists in Wibu-Systems CodeMeter versions < 7.21a. An unauthenticated remote attacker can exploit this issue to disclose heap memory contents or crash the CodeMeter Runtime Server.
A denial of service vulnerability exists in Wibu-Systems CodeMeter versions < 7.21a. An unauthenticated remote attacker can exploit this issue to crash the CodeMeter Runtime Server.
WAGO controllers and IO-Devices are not affected by WIBU-SYSTEMS Codemeter vulnerabilities. However, due to compatibility reasons to the 3S CODESYS Store, the e!COCKPIT and engineering software is bundled with a WIBU-SYSTEMS Codemeter installation.
We strongly encourage e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) users to update WIBU-SYSTEMS Codemeter by installing the latest available stand-alone WIBU-SYSTEMS Codemeter Version.
During the WIBU-SYSTEMS Codemeter installation process, refer to the recommended setup settings according to the WIBU-SYSTEMS advisories, a brief summary is provided in the chapter mitigation. Please check for updates and details that may not be included in this document.
WAGO will provide updated e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) setup routines with the latest WIBU-SYSTEMS Codemeter version in Q4/2021.
For further impact information and risk mitigation, please refer to the official WIBU-SYSTEMS Advisory Website at https://wibu.com/support/security-advisories.html.
Coordination done by CERT@VDE.