VDE-2023-035 | CERT@VDE

2023-12-05 08:00 (CET) VDE-2023-035

CODESYS: Multiple products affected by WIBU Codemeter vulnerability

Share: Email | Twitter

ID

VDE-2023-035

Published

2023-12-05 08:00 (CET)

Last update

2023-12-04 14:57 (CET)

Vendor(s)

CODESYS GmbH

Product(s)

Article No°	Product Name	Affected Version(s)
	CODESYS Control for Linux ARM SL	< 4.10.0.0
	CODESYS Control for Linux SL	< 4.10.0.0
	CODESYS Control RTE (for Beckhoff CX) SL	< 3.5.19.30
	CODESYS Control RTE (SL)	< 3.5.19.30
	CODESYS Control Win (SL)	< 3.5.19.30
	CODESYS Development System	>= 2.3.9.45
	CODESYS Development System	< 3.5.19.30
	CODESYS HMI (SL)	< 3.5.19.30
	CODESYS OPC OA Server SL	< 3.5.19.30
	CODESYS SP Realtime NT	>= 2.3.7.25

Summary

Several CODESYS setups contain and install vulnerable versions of the WIBU CodeMeter Runtime.

CVE ID

CVE-2023-3935

Last Update:

19. September 2023 08:50

Severity

9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Weakness

Out-of-bounds Write (CWE-787)

Summary

A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.

Details

cert.vde.com

Impact

The CODESYS Development System is an IEC 61131-3 programming tool for PLCs based on the CODESYS
Control runtime system, which enables embedded or PC-based devices to be a programmable industrial
controller. All affected CODESYS products install and use the WIBU CodeMeter Runtime for license
management. The manufacturer WIBU-SYSTEMS AG has reported a heap buffer overflow vulnerability in the
WIBU CodeMeter Runtime, which can potentially lead to a remote code execution.

Solution

Mitigation

WIBU-SYSTEMS AG recommends updating to CodeMeter Runtime version 7.60c to fix the vulnerability.

Until an update is available for the affected CODESYS products or if this is not to be installed, CODESYS
GmbH recommends downloading and installing the current CodeMeter Runtime directly from the website of
WIBU-SYSTEMS AG (https://www.wibu.com/support/user/user-software.html).

If neither an update of the affected CODESYS products nor an update of the WIBU CodeMeter Runtime can be performed, you may find further mitigations in the Security Advisory WIBU-230704-01 provided by WIBUSYSTEMS AG (https://www.wibu.com/support/security-advisories.html).

Remediation

Update the following products to version 3.5.19.30.
• CODESYS Control RTE (SL)
• CODESYS Control RTE (for Beckhoff CX) SL
• CODESYS Control Win (SL)
• CODESYS HMI (SL)
• CODESYS Development System
• CODESYS OPC DA Server SL

Update the following products to version to 4.10.0.0.
• CODESYS Control for Linux SL
• CODESYS Control for Linux ARM SL

For the legacy CODESYS V2 products, no new version is scheduled.

Reported by

CERT@VDE coordinated with CODESYS