Back to overview

Weidmueller: u-create studio < 1.20.2 affected by WIBU-SYSTEMS CodeMeter vulnerabilities

VDE-2020-041
Last update
05/14/2025 14:28
Published at
10/12/2020 11:14
Vendor(s)
Weidmueller Interface GmbH & Co. KG
External ID
VDE-2020-041
CSAF Document
Download

Summary

WIBU-SYSTEMS report multiple vulnerabilities in their CodeMeter Runtime software. As part of the Weidmüller u-create studio installation the WIBU-SYSTEMS CodeMeter is installed by default. As the u-create studio installation bundle contains vulnerable versions of WIBU-SYSTEMS CodeMeter, the u-create studio is affected by a subset of these vulnerabilities. For details refer to section "Impact".

Impact

The stated Weidmüller product is supplied with the WIBU-SYSTEMS CodeMeter Runtime software in version 6.81, which contains the following vulnerabilities:

WIBU Security Advisory CVE Number Score Description
WIBU-200521-01 CVE-2020-14513 7.5 Not affected (Fixed in 6.81. Weidmüller uses 6.81 at least.)
WIBU-200521-02 CVE-2020-14519 8.1 CodeMeter Runtime WebSockets API: Missing Origin Validation
WIBU-200521-03 CVE-2020-14509 10.0 CodeMeter Runtime DoS due to Buffer Access with Incorrect Length Value
WIBU-200521-04 CVE-2020-14517 9.4 CodeMeter Runtime API: Inadequate Encryption Strength and Authentication
WIBU-200521-05 CVE-2020-16233 7.5 CodeMeter Runtime API: Heap Leak
WIBU-200521-06 CVE-2020-14515 7.4 Improper Signature Verification of CmActLicense update files for CmActLicense Firm Code

Runtime software for Weidmüller controllers is not affected because the critical interfaces are disabled.

Affected Product(s)

Model no. Product name Affected versions
2660130000 u-create studio 1.18.b u-create studio 1.18.b
2660130000 u-create studio 1.20.2 u-create studio 1.20.2

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:57
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
Summary

Protocol encryption can be easily broken for CodeMeter (All versions prior to 6.90 are affected, including Version 6.90 or newer only if CodeMeter Runtime is running as server) and the server accepts external connections, which may allow an attacker to remotely communicate with the CodeMeter API.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Buffer Access with Incorrect Length Value (CWE-805)
Summary

Multiple memory corruption vulnerabilities exist in CodeMeter (All versions prior to 7.10) where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Weakness
Improper Verification of Cryptographic Signature (CWE-347)
Summary

CodeMeter (All versions prior to 6.90 when using CmActLicense update files with CmActLicense Firm Code) has an issue in the license-file signature checking mechanism, which allows attackers to build arbitrary license files, including forging a valid license file as if it were a valid license file of an existing vendor. Only CmActLicense update files with CmActLicense Firm Code are affected.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Weakness
Origin Validation Error (CWE-346)
Summary

This vulnerability allows an attacker to use the internal WebSockets API for CodeMeter (All versions prior to 7.00 are affected, including Version 7.0 or newer with the affected WebSockets API still enabled. This is especially relevant for systems or devices where a web browser is used to access a web server) via a specifically crafted Java Script payload, which may allow alteration or creation of license files for when combined with CVE-2020-14515.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness
Improper Resource Shutdown or Release (CWE-404)
Summary

An attacker could send a specially crafted packet that could have CodeMeter (All versions prior to 7.10) send back packets containing data from the heap.

References
cve.org | nvd.nist.gov

Mitigation

Use general security best practices to protect systems from local and network attacks.
For versions prior to 7.10a run CodeMeter Runtime as client only and use localhost as binding for the
CodeMeter communication. With binding to localhost an attack is no longer possible via remote network
connection. This is the default configuration.
If CodeMeter Runtime is required to run as network server use the CodeMeter License Access
Permissions feature to restrict the usage of CodeMeter API.

For further impact information and risk mitigation, please refer to the official WIBU-SYSTEMS Advisory Website at www.wibu.com/support/security-advisor...

Remediation

  • For an installed u-create studio: Update to the current version 7.10a or newer of the CodeMeter Runtime, available via the manufacturer's website.
  • For a new installation of u-create studio: First install u-create studio, then update to the current version 7.10a or newer of the CodeMeter Runtime available via the manufacturer's website external link.
    Note: An update of the CodeMeter Runtime before installation of u-create studio will cause errors during installation of u-create studio.

Revision History

Version Date Summary
1 10/12/2020 11:14 Initial revision.
2 05/14/2025 14:28 Fix: firmware category, reference category, added distribution