Share: Email | Twitter

ID

VDE-2020-041

Published

2020-10-12 11:14 (CEST)

Last update

2020-10-12 11:14 (CEST)

Vendor(s)

Weidmueller Interface GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
2660130000 u-create studio = 1.18.b
2660130000 u-create studio = 1.20.2

Summary

WIBU-SYSTEMS report multiple vulnerabilities in their CodeMeter Runtime software. As part of the Weidmüller u-create studio installation the WIBU-SYSTEMS CodeMeter is installed by default. As the u-create studio installation bundle contains vulnerable versions of WIBU-SYSTEMS CodeMeter, the u-create studio is affected by a subset of these vulnerabilities. For details refer to section "Impact".

Vulnerabilities



Last Update
March 3, 2022, 12:09 p.m.
Weakness
Buffer Access with Incorrect Length Value (CWE-805)
Summary

Multiple memory corruption vulnerabilities exist in CodeMeter (All versions prior to 7.10) where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities.

Last Update
Oct. 6, 2020, 8:19 p.m.
Weakness
Inadequate Encryption Strength (CWE-326)
Summary

Protocol encryption can be easily broken for CodeMeter (All versions prior to 6.90 are affected, including Version 6.90 or newer only if CodeMeter Runtime is running as server) and the server accepts external connections, which may allow an attacker to remotely communicate with the CodeMeter API.

Last Update
Oct. 6, 2020, 1:19 p.m.
Weakness
Improper Resource Shutdown or Release (CWE-404)
Summary

An attacker could send a specially crafted packet that could have CodeMeter (All versions prior to 7.10) send back packets containing data from the heap.

Last Update
March 3, 2022, 12:09 p.m.
Weakness
Origin Validation Error (CWE-346)
Summary

This vulnerability allows an attacker to use the internal WebSockets API for CodeMeter (All versions prior to 7.00 are affected, including Version 7.0 or newer with the affected WebSockets API still enabled. This is especially relevant for systems or devices where a web browser is used to access a web server) via a specifically crafted Java Script payload, which may allow alteration or creation of license files for when combined with CVE-2020-14515.

Last Update
Oct. 6, 2020, 8:19 p.m.
Weakness
Improper Verification of Cryptographic Signature (CWE-347)
Summary

CodeMeter (All versions prior to 6.90 when using CmActLicense update files with CmActLicense Firm Code) has an issue in the license-file signature checking mechanism, which allows attackers to build arbitrary license files, including forging a valid license file as if it were a valid license file of an existing vendor. Only CmActLicense update files with CmActLicense Firm Code are affected.

Impact

The stated Weidmüller product is supplied with the WIBU-SYSTEMS CodeMeter Runtime software in version 6.81, which contains the following vulnerabilities:

WIBU Security Advisory CVE Number Description
WIBU- 200521-01 CVE-2020- 14513
Score: 7.5
not affected (Fixed in 6.81. Weidmueller uses 6.81 at least.)
WIBU- 200521-02 CVE-2020- 14519
Score: 8.1
CodeMeter Runtime WebSockets API: Missing Origin Validation
WIBU- 200521-03 CVE-2020- 14509
Score: 10.0
CodeMeter Runtime DoS due to Buffer Access with Incorrect Length Value
WIBU- 200521-04 CVE-2020- 14517
Score: 9.4
CodeMeter Runtime API: Inadequate Encryption Strength and Authentication
WIBU- 200521-05 CVE-2020- 16233
Score: 7.5
CodeMeter Runtime API: Heap Leak
WIBU- 200521-06 CVE-2020- 14515
Score: 7.4
Improper Signature Verification of CmActLicense update files for CmActLicense Firm Code

Runtime software for Weidmüller controllers is not affected, because the critical interfaces are disabled.

Solution

Solution

  • For an installed u-create studio: Update to the current version 7.10a or newer of the CodeMeter Runtime, available via the manufacturer's website.
  • For a new installation of u-create studio: First install u-create studio, then update to the current version 7.10a or newer of the CodeMeter Runtime available via the manufacturer's website.
    Note: An update of the CodeMeter Runtime before installation of u-create studio will cause errors during installation of u-create studio.

Mitigation

Use general security best practices to protect systems from local and network attacks.
For versions prior to 7.10a run CodeMeter Runtime as client only and use localhost as binding for the
CodeMeter communication. With binding to localhost an attack is no longer possible via remote network
connection. This is the default configuration.
If CodeMeter Runtime is required to run as network server use the CodeMeter License Access
Permissions feature to restrict the usage of CodeMeter API.
For further impact information and risk mitigation, please refer to the official WIBU-SYSTEMS Advisory Website at https://www.wibu.com/support/security-advisories.html

Reported by

Sharon Brizinov and Tal Keren of Claroty
WIBU-Systems
Coordinated by CERT@VDE, CISA and BSI