CODESYS Key physical side-channel vulnerability

The CODESYS Key USB dongle, which is based on WIBU CodeMeter technology, is affected by a physical side-channel vulnerability.

The CODESYS Key is a USB dongle for secure storage of your CODESYS software licenses based on WIBU CodeMeter technology. The manufacturer WIBU-SYSTEMS AG has reported a physical side-channel vulnerability in a cryptographic library from Infineon Technologies that is part of the WIBU CmDongle firmware and thus also in the affected CODESYS Keys.

The exploitation of this vulnerability has been classified as complex. Potential attackers need physical access to the CODESYS Key and special equipment to exploit the vulnerability.

For more details see the WIBU-SYSTEMS AG Security Advisory WIBU-100094 on www.wibu.com/support/security-advisor....

In addition to licensing, the CODESYS Key can also be used for secure storage of secret data. The identified CVSS is the highest rating that can occur in combination with the various applications in the CODESYS software. If the CODESYS key is also used with applications from other vendors, the rating may differ. In this case, the respective vendor and/or the WIBU-SYSTEMS AG security advisory should be consulted.

Regardless of the vulnerability described here, CODESYS GmbH recommends that physical access to the CODESYS Key should only be granted to authorized persons. Especially in the case of productive control systems, removal of the CODESYS Key can affect the controlled machine or process.

This generally recommended restriction of access also reduces the attack surface for this vulnerability, as its exploitation requires physical access.

Update the CODESYS Key firmware to version 4.52.

Updating the firmware also protects the future usage of additional CODESYS Key features by the CODESYS software and general usage by other software. The update can be installed, for example, via the CodeMeter Control Center.