ENDRESS+HAUSER: Products utilizing WIBU-SYSTEMS AG Code Meter component

Several Endress+Hauser products are prone to vulnerabilities of Wibu Codemeter

VDE-2020-031 (2020-10-27 14:10 UTC+0100)

Affected Vendors

Endress+Hauser

Affected Products

Order Code Product Name Affected Version
  • SCE30B
  • SCE31B
  • SCE32B
SupplyCare Enterprise 3.0 up to 3.3
  • SFE 100

DeviceCare

From 1.02 up to 1.07 (current release)
  • SFE 500
FieldCare 2.15.00
  • SMT70
  • SMT77
FieldXpert From 1.03 up to 1.05 (current release)
  • MS20
  • MS21
Field Data Manager 1.4.0 up to 1.5.1 (current release)
  • 71350102
OPC UA Connectivity Server 1.2.0

Vulnerability Type

Buffer Access with Incorrect Length Value (CWE-805)

Summary

CVE Number

Security Advisory
WIBU

CVSS v3.1
base score:

Description

CVE-2020-14513

WIBU-200521-01

High 7.5

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CWE-20: Improper Input Validation

Code Meter and the software using it may crash while processing a specifically crafted license update file due
to unverified length fields.

CVE-2020-14519

WIBU-200521-02

High 8.1

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CWE-346: Origin Validation Error

This vulnerability allows an attacker to use the Code Meter Runtime WebSockets API via a specifically crafted Java Script payload, which may allow alteration or creation of license files for CmActLicense using CmActLicense Firm Code when combined with CVE-2020-14515.

CVE-2020-14509

WIBU-200521-03

Critical 10.0

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-805: Buffer Access with Incorrect Length Value

Multiple memory corruption vulnerabilities exist where the packet parser mechanism of Code Meter
does not verify length fields. An attacker could send specially crafted packets to exploit these
vulnerabilities.

CVE-2020-14517

WIBU-200521-04

Critical 9.4

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

CWE-326: Inadequate Encryption Strength

Protocol encryption can be easily broken and the server accepts external connections, which may
allow an attacker to remotely communicate with the Code Meter API.

CVE-2020-16233

WIBU-200521-05

High 7.5

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-404: Improper Resource Shutdown or Release

An attacker could send a specially crafted packet that could have the server send back packets
containing data from the heap.

CVE-2020-14515

WIBU-200521-06

High 7.4

AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H

CWE-347: Improper Verification of Cryptographic Signature

 

An attacker could modify existing license update files and even build one themselves.

 

For further Information please refer to WIBU Advisories directly at https://wibu.com/support/security-advisories.html.

Impact

For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html.

Solution

Temporary Fix/ Mitigation

Most vulnerabilities have already been fixed in the current Code Meter versions 7.10. Use of this version requires additional mitigation measures to fix all CVEs. For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html.


Remediation

WIBU SYSTEMS has released a new Code Meter Runtime version 7.10a dated on 16.9.2020. All the known vulnerabilities are fixed with this version. The version is available at www.wibu.com/support.

Reported by

Sharon Brizinov and Tal Keren of Claroty reported these vulnerabilites to WIBU Systems.
Coordinated by CERT@VDE, CISA and BSI