WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro

Multiple vulnerabilities were reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations. All currently existing e!COCKPIT installation bundles and WAGO-I/O-Pro (CODESYS 2.3) installation bundles with Version 2.3.9.46, 2.3.9.47, 2.3.9.49, 2.3.9.53, 2.3.9.55, 2.3.9.61 and 2.3.9.66 contain vulnerable versions of WIBU-SYSTEMS Codemeter.

VDE-2021-043 (2021-08-31 09:00 UTC+0200)

Affected Vendors

WAGO

Affected Products

All WAGO e!COCKPIT engineering software installation bundles < V1.10
All WAGO-I/O-Pro (CODESYS 2.3) engineering software installation versions 2.3.9.46, 2.3.9.47, 2.3.9.49, 2.3.9.53, 2.3.9.55, 2.3.9.61 and 2.3.9.66.

Vulnerability Type

Out-of-bounds Read (CWE - 125)

Summary

Multiple vulnerabilities were reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations. All currently existing e!COCKPIT installation bundles and WAGO-I/O-Pro (CODESYS 2.3) installation bundles with Version 2.3.9.46, 2.3.9.47, 2.3.9.49, 2.3.9.53, 2.3.9.55, 2.3.9.61 and 2.3.9.66 contain vulnerable versions of WIBU-SYSTEMS Codemeter.

CVE-2021-20093
CVSS: 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE: 125 - Out-of-bounds Read
Description: CodeMeter Runtime Network Server: Heap Leak and Denial of Service
The vulnerability affects the TCP/IP communication of CodeMeter License Server. Sending manipulated packets can cause CodeMeter License Server to crash or read data from heap memory. See WIBU-210423-01 for details.

CVE-2021-20094
CVSS: 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: 125 - Out-of-bounds Read
Description: CodeMeter Runtime CmWAN Server: Denial of Service (DoS)
The vulnerability affects communication with the CodeMeter CmWAN server. Sending special HTTP(S) requests to the CmWAN server can cause the CodeMeter License Server to crash. The CmWAN server is disabled by default. See WIBU-210423-02 for details

Impact

WAGO controllers and IO-Devices are not affected by WIBU-SYSTEMS Codemeter vulnerabilities. However, due to compatibility reasons to the 3S CODESYS Store, the e!COCKPIT and engineering software is bundled with a WIBU-SYSTEMS Codemeter installation.

Solution

We strongly encourage e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) users to update WIBU-SYSTEMS Codemeter by installing the latest available stand-alone WIBU-SYSTEMS Codemeter Version.

During the WIBU-SYSTEMS Codemeter installation process, refer to the recommended setup settings according to the WIBU-SYSTEMS advisories, a brief summary is provided in the chapter mitigation. Please check for updates and details that may not be included in this document.

WAGO will provide updated e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) setup routines with the latest WIBU-SYSTEMS Codemeter version in Q4/2021.

Mitigation

  1. Use general security best practices to protect systems from local and network attacks.
  2. Run CodeMeter as client only and use localhost as binding for the CodeMeter communication
  3. With binding to localhost an attack is no longer possible via remote network connection. The network server is disabled by default.
  4. If it is not possible to disable the network server, using a host-based firewall to restrict access to the CmLAN port can reduce the risk.
  5. The CmWAN server is disabled by default. Please check if CmWAN is enabled and disable the feature if it is not needed.
  6. Run the CmWAN server only behind a reverse proxy with user authentication to prevent attacks from unauthenticated users.
  7. The risk of an unauthenticated attacker can be further reduced by using a host-based firewall that only allows the reverse proxy to access the CmWAN port.

For further impact information and risk mitigation, please refer to the official WIBU-SYSTEMS Advisory Website at wibu.com/support/security-advisories.html.

Reported by

Coordination done by CERT@VDE.