Share: Email | Twitter

ID

VDE-2022-002

Published

2022-01-31 14:00 (CET)

Last update

2022-03-01 09:32 (CET)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
WAGO e!COCKPIT engineering software installation bundle < V1.11
WAGO-I/O-Pro (CODESYS 2.3) engineering software installation = 2.3.9.46
WAGO-I/O-Pro (CODESYS 2.3) engineering software installation = 2.3.9.47
WAGO-I/O-Pro (CODESYS 2.3) engineering software installation = 2.3.9.49
WAGO-I/O-Pro (CODESYS 2.3) engineering software installation = 2.3.9.53
WAGO-I/O-Pro (CODESYS 2.3) engineering software installation = 2.3.9.55
WAGO-I/O-Pro (CODESYS 2.3) engineering software installation = 2.3.9.61
WAGO-I/O-Pro (CODESYS 2.3) engineering software installation = 2.3.9.66

Summary

A vulnerability is reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations. All currently existing e!COCKPIT installation bundles and WAGO-I/O-Pro (CODESYS 2.3) installation bundles are affected with vulnerable versions of WIBU-SYSTEMS Codemeter.


Weakness

Improper Link Resolution Before File Access ('Link Following')  (CWE-59) 

Summary

In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.


Impact

WAGO controllers and IO-Devices are not affected by WIBU-SYSTEMS Codemeter vulnerabilities. However, due to compatibility reasons to the CODESYS Group CODESYS store, the e!COCKPIT and engineering software is bundled with a WIBU-SYSTEMS Codemeter installation.

Solution

Mitigation

  • Use general security best practices to protect systems from local and network attacks.
  • Disable the container type “Mass Storage” in CodeMeter via the Windows Registry.

Remediation

We strongly encourage e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) users to update WIBU-SYSTEMS Codemeter by installing the latest available stand-alone WIBU-SYSTEMS Codemeter Version.

WAGO will provide updated e!COCKPIT setup routines (Version 1.11) with the latest WIBU- SYSTEMS Codemeter version in Q2/2022.

Additionally WAGO will provide a security patch for e!COCKPIT Version 1.10 in February 2022.
WAGO will provide updated WAGO-I/O-Pro (CODESYS 2.3) (Version 2.3.9.68) setup routines with the latest WIBU-SYSTEMS Codemeter version in Q1/2022.

For further details on risk mitigation and impact of this vulnerability, please refer to the official WIBU-SYSTEMS Advisory WIBU-210910-01 at Website https://www.wibu.com/support/security-advisories.html.

Further details on the corresponding CVEs can be obtained here:
https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf

Reported by

CERT@VDE coordinated with WAGO