A number of TRUMPF CAD/CAM software tools use the CodeMeter Runtime application from WIBU-SYSTEMS AG to manage licences. This application contains a number of vulnerabilities, which enable an attacker to prevent normal operation of CodeMeter, resulting in a Denial-of-Service and potentially execute arbitrary code.
The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.
Older firmware versions of the PLC family 750-88x and 750-352 are vulnerable for a special denial of service attack.
All newer Firmware releases since FW11, released in December 2017, are not affected.
Additional, affected devices:
Bender is publishing this advisory to inform customers about a security vulnerability in all devices running the COMTRAXX software.
The user authorization is validated for most, but not all routes in the system. A user with knowledge about the routes can read and write configuration data without prior authorization.
WIBU-SYSTEMS report multiple vulnerabilities in their CodeMeter Runtime software. As part of the Weidmüller u-create studio installation the WIBU-SYSTEMS CodeMeter is installed by default. As the u-create studio installation bundle contains vulnerable versions of WIBU-SYSTEMS CodeMeter, the u-create studio is affected by a subset of these vulnerabilities. For details refer to section "Impact".