Share: Email | Twitter

ID

VDE-2022-038

Published

2022-12-13 12:50 (CET)

Last update

2022-12-13 12:54 (CET)

Vendor(s)

Festo SE & Co. KG
Festo Didactic SE

Product(s)

Article No° Product Name Affected Version(s)
8140772 CIROS <= 7.0.6 (before 2022-09-15)
8140773 CIROS <= 7.0.6 (before 2022-09-15)
8038980 CIROS <= 6.4.6 (before 2022-09-15)
FluidDraw P5 all versions
FluidDraw P6 < 6.2c
MES PC = n/a

Summary

A vulnerability was reported in WIBU-SYSTEMS CodeMeter Runtime.
WIBU-SYSTEMS CodeMeter Runtime is part of the installation packages of several Festo products.
FluidDraw < 6.2c and CIROS <= 7.0.6 contain a vulnerable version of WIBU-SYSTEMS CodeMeter Runtime.


Last Update:

Jan. 25, 2022, 9:40 a.m.

Weakness

Improper Link Resolution Before File Access ('Link Following')  (CWE-59) 

Summary

In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.


Solution

FluidDraw P5, FluidDraw P6

Avoid any FluidDraw installation with a FluidDraw installation package below version 6.2c. Updated versions of FluidDraw are available on the Festo website.

In case of a FluidDraw installation package with a version below 6.2c, do not use the WIBU CodeMeter package, that is part of the FluidDraw installation package. Skip the CodeMeter installation step during the FluidDraw installation and instead use a current CodeMeter version from the WIBU website and install that separately. In case of an already installed vulnerable CodeMeter version, update all of these WIBU CodeMeter installations with the current version of WIBU CodeMeter.

Please refer to the WIBU CodeMeter documentation and website for further details and mitigations on usage of WIBU CodeMeter Runtime before 7.30a.

CIROS

For future installations, ensure you're using a CIROS installer downloaded from https://ip.festo-didactic.com/ Infoportal/CIROS/EN/Download.html after September 15, 2022. For existing installations, update the WIBU CodeMeter Runtime separately with at least version 7.30a downloaded from the WIBU Systems website. Please refer to the WIBU CodeMeter documentation and website for further details and mitigations on usage of WIBU CodeMeter Runtime before 7.30a.

MES PC

If your copy of MES4 came preinstalled on a PC shipped before December 2022, you'll need to make sure this PC has at least CodeMeter Runtime 7.30a installed. If necessary, download the update from the WIBU Systems website.

Additional to the above:

Festo strongly recommends to restrict unprivileged access to machines running Festo software and to minimize and protect network access to connected devices with state of the art techniques and processes.

For a secure operation follow the recommendations in the product manuals.

Reported by

CERT@VDE coordinated with Festo SE & Co. KG