| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| SFE100 | DeviceCare | 1.02.xx <= 1.07.06 |
| SFE500 | FieldCare | 2.15.xx <= 2.16.xx |
| MS20 | Field Data Manager | 1.4.0 <= 1.6.2 |
| MS21 | Field Data Manager | 1.4.0 <= 1.6.2 |
| SMT50 | Field Xpert | 1.03.xx <= 1.05.xx |
| SMT70 | Field Xpert | 1.03.xx <= 1.05.xx |
| SMT77 | Field Xpert | 1.03.xx <= 1.05.xx |
| Proline Promag W 800 OPC/UA Connectivity Server | = V1.3.7926 | |
| SCE30B | SupplyCare Enterprise | 3.0.x <= 3.4.x |
| SCE31B | SupplyCare Enterprise | 3.0.x <= 3.4.x |
| SCE32B | SupplyCare Enterprise | 3.0.x <= 3.4.x |
For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html.
A buffer over-read vulnerability exists in Wibu-Systems CodeMeter versions < 7.21a. An unauthenticated remote attacker can exploit this issue to disclose heap memory contents or crash the CodeMeter Runtime Server.
curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can ...
A denial of service vulnerability exists in Wibu-Systems CodeMeter versions < 7.21a. An unauthenticated remote attacker can exploit this issue to crash the CodeMeter Runtime Server.
curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.
In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. ...
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. ...
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. ...
Mitigation
All vulnerabilities have already been fixed in several CodeMeter versions. Endress+Hauser recommends to use CodeMeter version >=7.40b.
The version is available at https://www.wibu.com/support.
For the Operating System WIN 7 it´s recommended to update the operating system, use/re-install the Endress+Hauser Software Application supporting the newer operating system and update Code Meter to version >= 7.40b.
Remediation
Update the software application of the affected products:
| # | Product Name | Fixed Version |
|
SCE30B |
SupplyCare Enterprise | >= 3.5.1 |
| SFE100 | DeviceCare | >= 1.07.07 |
| SFE500 | FieldCare | >= 2.17.00 |
| SMT50 SMT70 SMT77 |
Field Xpert | >= 1.06.00 |
| MS20 MS21 |
Field Data Manager | >= 1.6.3 |
| Freeware for the Proline Promag W 800/5W8C via Endress+Hauser Download Portal |
Proline Promag W 800 OPC/UA Connectivity Server | > V1.3.7926 |
CERT@VDE coordinated with ENDRESS+HAUSER