|Article No°||Product Name||Affected Version(s)|
|8140772||CIROS||<= 7.0.6 (before 2022-09-15)|
|8140773||CIROS||<= 7.0.6 (before 2022-09-15)|
|8038980||CIROS||<= 6.4.6 (before 2022-09-15)|
|FluidDraw P5||all versions|
|FluidDraw P6||< 6.2c|
|MES PC||= n/a|
A vulnerability was reported in WIBU-SYSTEMS CodeMeter Runtime.
WIBU-SYSTEMS CodeMeter Runtime is part of the installation packages of several Festo products.
FluidDraw < 6.2c and CIROS <= 7.0.6 contain a vulnerable version of WIBU-SYSTEMS CodeMeter Runtime.
In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.
FluidDraw P5, FluidDraw P6
Avoid any FluidDraw installation with a FluidDraw installation package below version 6.2c. Updated versions of FluidDraw are available on the Festo website.
In case of a FluidDraw installation package with a version below 6.2c, do not use the WIBU CodeMeter package, that is part of the FluidDraw installation package. Skip the CodeMeter installation step during the FluidDraw installation and instead use a current CodeMeter version from the WIBU website and install that separately. In case of an already installed vulnerable CodeMeter version, update all of these WIBU CodeMeter installations with the current version of WIBU CodeMeter.
Please refer to the WIBU CodeMeter documentation and website for further details and mitigations on usage of WIBU CodeMeter Runtime before 7.30a.
For future installations, ensure you're using a CIROS installer downloaded from https://ip.festo-didactic.com/ Infoportal/CIROS/EN/Download.html after September 15, 2022. For existing installations, update the WIBU CodeMeter Runtime separately with at least version 7.30a downloaded from the WIBU Systems website. Please refer to the WIBU CodeMeter documentation and website for further details and mitigations on usage of WIBU CodeMeter Runtime before 7.30a.
If your copy of MES4 came preinstalled on a PC shipped before December 2022, you'll need to make sure this PC has at least CodeMeter Runtime 7.30a installed. If necessary, download the update from the WIBU Systems website.
Additional to the above:
Festo strongly recommends to restrict unprivileged access to machines running Festo software and to minimize and protect network access to connected devices with state of the art techniques and processes.
For a secure operation follow the recommendations in the product manuals.
CERT@VDE coordinated with Festo SE & Co. KG