WEIDMUELLER: u-create studio affected by WIBU-SYSTEMS CodeMeter vulnerabilities

VDE-2020-041 (2020-10-12 12:14 UTC+0200)

Affected Vendors

WEIDMUELLER

Affected Products

The following Weidmüller product with the indicated software versions is affected:

Product Number Product Name Software versions affected
2660130000 u-create studio 1.18.b and 1.20.2

Vulnerability Type

multiple, please see "Impact" for details

Summary

WIBU-SYSTEMS report multiple vulnerabilities in their CodeMeter Runtime software. As part of the Weidmüller u-create studio installation the WIBU-SYSTEMS CodeMeter is installed by default. As the u-create studio installation bundle contains vulnerable versions of WIBU-SYSTEMS CodeMeter, the u-create studio is affected by a subset of these vulnerabilities. For details refer to section "Impact".

Impact

The stated Weidmüller product is supplied with the WIBU-SYSTEMS CodeMeter Runtime software in version 6.81, which contains the following vulnerabilities:

WIBU Security Advisory CVE Number Description
WIBU- 200521-01 CVE-2020- 14513
Score: 7.5
not affected (Fixed in 6.81. Weidmueller uses 6.81 at least.)
WIBU- 200521-02 CVE-2020- 14519
Score: 8.1
CodeMeter Runtime WebSockets API: Missing Origin Validation
WIBU- 200521-03 CVE-2020- 14509
Score: 10.0
CodeMeter Runtime DoS due to Buffer Access with Incorrect Length Value
WIBU- 200521-04 CVE-2020- 14517
Score: 9.4
CodeMeter Runtime API: Inadequate Encryption Strength and Authentication
WIBU- 200521-05 CVE-2020- 16233
Score: 7.5
CodeMeter Runtime API: Heap Leak
WIBU- 200521-06 CVE-2020- 14515
Score: 7.4
Improper Signature Verification of CmActLicense update files for CmActLicense Firm Code

Runtime software for Weidmüller controllers is not affected, because the critical interfaces are disabled.

Solution

Solution

  • For an installed u-create studio: Update to the current version 7.10a or newer of the CodeMeter Runtime, available via the manufacturer's website.

  • For a new installation of u-create studio: First install u-create studio, then update to the current version 7.10a or newer of the CodeMeter Runtime available via the manufacturer's website.
    Note: An update of the CodeMeter Runtime before installation of u-create studio will cause errors during installation of u-create studio.

Mitigation

  • Use general security best practices to protect systems from local and network attacks.
  • For versions prior to 7.10a run CodeMeter Runtime as client only and use localhost as binding for the
    CodeMeter communication. With binding to localhost an attack is no longer possible via remote network
    connection. This is the default configuration.
  • If CodeMeter Runtime is required to run as network server use the CodeMeter License Access
    Permissions feature to restrict the usage of CodeMeter API.

For further impact information and risk mitigation, please refer to the official WIBU-SYSTEMS Advisory Website at https://www.wibu.com/support/security-advisories.html

Reported by

Sharon Brizinov and Tal Keren of Claroty
WIBU-Systems
Coordinated by CERT@VDE, CISA and BSI