WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT

Multiple vulnerabilties were reported in WIBU-SYSTEMS Codemeter.

VDE-2020-032 (2020-09-09 08:23 UTC+0200)

Affected Vendors

WAGO

Affected Products

All WAGO e!COCKPIT engineering software installation bundles < V1.8

WAGO controllers and IO-Devices are not affected by WIBU-SYSTEMS Codemeter vulnerabilities.

Vulnerability Type

BUFFER ACCESS WITH INCORRECT LENGTH VALUE (CWE-805)

Summary

Multiple vulnerabilties were reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT installation. All currently existing e!COCKPIT installation bundles contain vulnerable versions of WIBU-SYSTEMS Codemeter.

WIBU-200521-01 Improper Input Validation of Update Files in CodeMeter Runtime
CVE-2020-14513
CWE-20 Improper Input Validation
CVSSv3.1 base score 7.5
https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-01.pdf

WIBU-200521-02 CodeMeter Runtime WebSockets API: Missing Origin Validation
CVE-2020-14519
CWE-346 Origin Validation Error
CVSSv3.1 base score 8.1
https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-02.pdf

WIBU-200521-03 CodeMeter Runtime DoS due to Buffer Access with Incorrect Length Value
CVE-2020-14509
CWE-805 Buffer Access with Incorrect Length Value
CVSSv3.1 base score 10.0
https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-03.pdf

WIBU-200521-04 CodeMeter Runtime API: Inadequate Encryption Strength and Authentication
CVE-2020-14517
CWE-326 Inadequate Encryption Strength and Authentication
CVSSv3.1 base score 9.4
https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-04.pdf

WIBU-200521-05 CodeMeter Runtime API: Heap Leak
CVE-2020-16233
CWE-404 Improper Resource Shutdown or Release
CVSSv3.1 base score 7.5
https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-05.pdf

WIBU-200521-06 Improper Signature Verification of Update Files in CodeMeter Runtime
CVE-2020-14515
CWE-347 Improper Verification of Cryptographic Signature
CVSSv3.1 base score 7.4
https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-06.pdf

Impact

WAGO controllers and IO-Devices are not affected by WIBU-SYSTEMS Codemeter vulnerabilities.
However, due to compatibility reasons to the 3S Codesys Store, the e!COCKPIT engineering software is bundled with a WIBU-SYSTEMS Codemeter installation.

Vulnerability Characterization

Please refer to the official WIBU-SYSTEMS Advisories.
Website at https://www.wibu.com/support/security-advisories.html.

Solution

Solution

We strongly encourage e!COCKPIT users to update WIBU-SYSTEMS Codemeter by installing the latest available stand-alone WIBU-SYSTEMS Codemeter Version.
During the WIBU-SYSTEMS Codemeter installation process, refer to the recommended setup settings according to the WIBU-SYSTEMS advisories, a brief summary is provided in the chapter mitigation. Please check for updates and details that may not be included in this document.
WAGO will provide an updated e!COCKPIT setup routine with the latest WIBU-SYSTEMS Codemeter version approximately in Q4/2020.

Mitigation

  1. Use general security best practices to protect systems from local and network attacks.
  2. Disable the WIBU-SYSTEMS CodeMeter Runtime WebSockets API.
  3. Run WIBU-SYSTEMS CodeMeter only as client and use localhost as binding for the WIBU-SYSTEMS CodeMeter communication. If you need to operate WIBU-SYSTEMS CodeMeter Runtime as Network License Server please make sure that it is operated in a secure environment.

For further impact information and risk mitigation, please refer to the official WIBU-SYSTEMS Advisory Website at https://www.wibu.com/support/security-advisories.html.
Further details on the corresponding CVEs can be obtained here:
https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-01.pdf
https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-02.pdf https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-03.pdf https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-04.pdf https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-05.pdf https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-06.pdf

Reported by

Coordination done by CERT@VDE.