Share: Email | Twitter

ID

VDE-2020-030

Published

2020-09-09 08:22 (CEST)

Last update

2020-09-09 08:22 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
1153509 E-Mobility Charging Suite license codes for EV Charging Suite Setup <= 1.7.3
1153513 E-Mobility Charging Suite license codes for EV Charging Suite Setup <= 1.7.3
1086929 E-Mobility Charging Suite license codes for EV Charging Suite Setup <= 1.7.3
1153516 E-Mobility Charging Suite license codes for EV Charging Suite Setup <= 1.7.3
1086891 E-Mobility Charging Suite license codes for EV Charging Suite Setup <= 1.7.3
1153508 E-Mobility Charging Suite license codes for EV Charging Suite Setup <= 1.7.3
1153520 E-Mobility Charging Suite license codes for EV Charging Suite Setup <= 1.7.3
1086921 E-Mobility Charging Suite license codes for EV Charging Suite Setup <= 1.7.3
1086889 E-Mobility Charging Suite license codes for EV Charging Suite Setup <= 1.7.3
1086920 E-Mobility Charging Suite license codes for EV Charging Suite Setup <= 1.7.3
2702889 FL Network Manager <= 4.20
1083065 IOL-CONF 1.7.0
1046008 PC Worx Engineer <= 2020.06
1165889 PLCnext Engineer EDU LIC <= 2020.06

Summary

Several vulnerabilities have been discovered in WIBU-SYSTEMS CodeMeter and published 08 September 2020. Phoenix Contact is only affected by a subset of these vulnerabilities.

Phoenix Contact products are not affected by vulnerabilities WIBU-200521-01 (CVE-2020- 14513), WIBU-200521-04 (CVE-2020-14517, and WIBU-200521-06 (CVE-2020-14515). For further Information please refer to WIBU Advisories directly at https://wibu.com/support/security-advisories.html.

Vulnerabilities



Last Update
March 3, 2022, 12:09 p.m.
Weakness
Buffer Access with Incorrect Length Value (CWE-805)
Summary

Multiple memory corruption vulnerabilities exist in CodeMeter (All versions prior to 7.10) where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities.

Last Update
Oct. 6, 2020, 1:19 p.m.
Weakness
Improper Resource Shutdown or Release (CWE-404)
Summary

An attacker could send a specially crafted packet that could have CodeMeter (All versions prior to 7.10) send back packets containing data from the heap.

Last Update
March 3, 2022, 12:09 p.m.
Weakness
Origin Validation Error (CWE-346)
Summary

This vulnerability allows an attacker to use the internal WebSockets API for CodeMeter (All versions prior to 7.00 are affected, including Version 7.0 or newer with the affected WebSockets API still enabled. This is especially relevant for systems or devices where a web browser is used to access a web server) via a specifically crafted Java Script payload, which may allow alteration or creation of license files for when combined with CVE-2020-14515.

Impact

WIBU Security Advisory CVE Number Description Phoenix Contact products according table above
WIBU- 200521-01 CVE-2020- 14513
Score: 7.5
Improper Input Validation of WibuRaU files in CodeMeter Runtime Products are not affected as Phoenix Contact is using a Universal Firm Code
WIBU- 200521-02 CVE-2020- 14519
Score: 8.1
CodeMeter Runtime WebSockets API: Missing Origin Validation Products are affected according WIBU Systems classification
WIBU- 200521-03 CVE-2020- 14509
Score: 10.0
CodeMeter Runtime DoS due to Buffer Access with Incorrect Length Value Products are affected according WIBU Systems classification
WIBU- 200521-04 CVE-2020- 14517
Score: 9.4
CodeMeter Runtime API: Inadequate Encryption Strength and Authentication Products are not affected as Phoenix Contact is using AxProtector
WIBU- 200521-05 CVE-2020- 16233
Score: 7.5
CodeMeter Runtime API: Heap Leak Products are affected according WIBU Systems classification
WIBU- 200521-06 CVE-2020- 14515
Score: 7.4
Improper Signature Verification of CmActLicense update files for CmActLicense Firm Code Products are not affected as Phoenix Contact is using a Universal Firm Code

Phoenix Contact devices using CodeMeter embedded are not affected by these vulnerabilities. According to WIBU SYSTEMS Universal Firm Codes (UFC) used by Phoenix Contact are not affected.

Solution

Temporary Fix / Mitigation

  1. Use general security best practices to protect systems from local and network attacks like described in the application note AH EN INDUSTRIAL SECURITY.
  2. Disable the CodeMeter Runtime WebSockets API.
  3. Run CodeMeter only as client and use localhost as binding for the CodeMeter communication. If you need to operate CodeMeter Runtime as Network License Server please make sure that it is operated in a secure environment.

For detailed information please refer to WIBU Systems original Advisories.

Remediation

WIBU-SYSTEMS has released a new CodeMeter Runtime version 7.10 to fix the known vulnerabilities and may continue to release further updated versions in the future.

Phoenix Contact has released a new version of Activation Wizard 1.3.2, used for activation and deactivation of licenses, installing CodeMeter Runtime 7.10 on Windows PCs.
After installation of Activation Wizard 1.3.2 all installed products using CodeMeter Runtime will use the latest CodeMeter Runtime 7.10 version.
Activation Wizard 1.3.2 contains the official fix of WIBU-SYSTEMS for the known variabilities and is disabling the WebSockets API like recommended by WIBU-SYSTEMS.

We strongly recommend downloading and installing Activation Wizard 1.3.2 or higher as the CVSS Score of the vulnerabilities are critical and high. Activation Wizard is available via the download areas of PLCnext Engineer, FL Network Manager, or EV Charging Suite.
Since there can only be one installation of CodeMeter Runtime on a system, installing the latest version of CodeMeter Runtime as being included in Activation Wizard will fix the vulnerabilities for all other applications using CodeMeter Runtime as well.

Please check your products web site for further updates regularly or register to Phoenix Contact PSIRT information’s to receive latest updates about security advisories.

Phoenix Contact recommends following security best practices to protect systems from local and network attacks as described in the application note AH EN INDUSTRIAL SECURITY.

Reported by

Sharon Brizinov and Tal Keren of Claroty
WIBU-Systems
Coordinated by CERT@VDE, CISA and BSI