VDE-2022-002 | CERT@VDE

2022-01-31 14:00 (CET) VDE-2022-002

WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro

Share: Email | Twitter

ID

VDE-2022-002

Published

2022-01-31 14:00 (CET)

Last update

2022-03-01 09:32 (CET)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
	WAGO e!COCKPIT engineering software installation bundle	< V1.11
	WAGO-I/O-Pro (CODESYS 2.3) engineering software installation	= 2.3.9.46
	WAGO-I/O-Pro (CODESYS 2.3) engineering software installation	= 2.3.9.47
	WAGO-I/O-Pro (CODESYS 2.3) engineering software installation	= 2.3.9.49
	WAGO-I/O-Pro (CODESYS 2.3) engineering software installation	= 2.3.9.53
	WAGO-I/O-Pro (CODESYS 2.3) engineering software installation	= 2.3.9.55
	WAGO-I/O-Pro (CODESYS 2.3) engineering software installation	= 2.3.9.61
	WAGO-I/O-Pro (CODESYS 2.3) engineering software installation	= 2.3.9.66

Summary

A vulnerability is reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations. All currently existing e!COCKPIT installation bundles and WAGO-I/O-Pro (CODESYS 2.3) installation bundles are affected with vulnerable versions of WIBU-SYSTEMS Codemeter.

CVE ID

CVE-2021-41057

Last Update:

Jan. 25, 2022, 9:40 a.m.

Severity

7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)

Weakness

Improper Link Resolution Before File Access ('Link Following') (CWE-59)

Summary

In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.

Details

nvd.nist.gov

Impact

WAGO controllers and IO-Devices are not affected by WIBU-SYSTEMS Codemeter vulnerabilities. However, due to compatibility reasons to the CODESYS Group CODESYS store, the e!COCKPIT and engineering software is bundled with a WIBU-SYSTEMS Codemeter installation.

Solution

Mitigation

Use general security best practices to protect systems from local and network attacks.
Disable the container type “Mass Storage” in CodeMeter via the Windows Registry.

Remediation

We strongly encourage e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) users to update WIBU-SYSTEMS Codemeter by installing the latest available stand-alone WIBU-SYSTEMS Codemeter Version.

WAGO will provide updated e!COCKPIT setup routines (Version 1.11) with the latest WIBU- SYSTEMS Codemeter version in Q2/2022.

Additionally WAGO will provide a security patch for e!COCKPIT Version 1.10 in February 2022.
WAGO will provide updated WAGO-I/O-Pro (CODESYS 2.3) (Version 2.3.9.68) setup routines with the latest WIBU-SYSTEMS Codemeter version in Q1/2022.

For further details on risk mitigation and impact of this vulnerability, please refer to the official WIBU-SYSTEMS Advisory WIBU-210910-01 at Website https://www.wibu.com/support/security-advisories.html.

Further details on the corresponding CVEs can be obtained here:
https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf

Reported by

CERT@VDE coordinated with WAGO