Share: Email | Twitter

ID

VDE-2022-019

Published

2022-06-02 17:11 (CEST)

Last update

2022-06-02 17:11 (CEST)

Vendor(s)

Endress+Hauser AG

Product(s)

Article No° Product Name Affected Version(s)
SFE100 DeviceCare 1.02.xx <= 1.07.06
SFE500 FieldCare 2.15.xx <= 2.16.xx
MS20 Field Data Manager 1.4.0 <= 1.6.2
MS21 Field Data Manager 1.4.0 <= 1.6.2
SMT50 Field Xpert 1.03.xx <= 1.05.xx
SMT70 Field Xpert 1.03.xx <= 1.05.xx
SMT77 Field Xpert 1.03.xx <= 1.05.xx
Proline Promag W 800 OPC/UA Connectivity Server = V1.3.7926
SCE30B SupplyCare Enterprise 3.0.x <= 3.4.x
SCE31B SupplyCare Enterprise 3.0.x <= 3.4.x
SCE32B SupplyCare Enterprise 3.0.x <= 3.4.x

Summary

For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html.

Vulnerabilities



Last Update
Sept. 8, 2021, 9:53 a.m.
Weakness
Out-of-bounds Read (CWE-125)
Summary

A buffer over-read vulnerability exists in Wibu-Systems CodeMeter versions < 7.21a. An unauthenticated remote attacker can exploit this issue to disclose heap memory contents or crash the CodeMeter Runtime Server.

Last Update
May 3, 2022, 8:05 a.m.
Weakness
Use After Free (CWE-416)
Summary

curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.

Last Update
Sept. 8, 2021, 9:53 a.m.
Weakness
Out-of-bounds Read (CWE-125)
Summary

A denial of service vulnerability exists in Wibu-Systems CodeMeter versions < 7.21a. An unauthenticated remote attacker can exploit this issue to crash the CodeMeter Runtime Server.

Last Update
May 3, 2022, 8:03 a.m.
Weakness
Improper Certificate Validation (CWE-295)
Summary

curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.

Last Update
Jan. 25, 2022, 9:40 a.m.
Weakness
Improper Link Resolution Before File Access ('Link Following') (CWE-59)
Summary

In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.

Last Update
May 3, 2022, 8:05 a.m.
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.

Last Update
May 3, 2022, 8:04 a.m.
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.

Last Update
May 3, 2022, 8:04 a.m.
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.

Solution

Mitigation

All vulnerabilities have already been fixed in several CodeMeter versions. Endress+Hauser recommends to use CodeMeter version >=7.40b.

The version is available at https://www.wibu.com/support.

For the Operating System WIN 7 it´s recommended to update the operating system, use/re-install the Endress+Hauser Software Application supporting the newer operating system and update Code Meter to version >= 7.40b.

Remediation

Update the software application of the affected products:

# Product Name Fixed Version

SCE30B
SCE31B
SCE32B

SupplyCare Enterprise >= 3.5.1
SFE100 DeviceCare >= 1.07.07
SFE500 FieldCare >= 2.17.00
SMT50
SMT70
SMT77
Field Xpert >= 1.06.00
MS20
MS21
Field Data Manager >= 1.6.3
Freeware for the
Proline Promag W 800/5W8C
via Endress+Hauser Download Portal
Proline Promag W 800 OPC/UA Connectivity Server > V1.3.7926

Reported by

CERT@VDE coordinated with ENDRESS+HAUSER