Summary
A vulnerability was reported in WIBU-SYSTEMS CodeMeter Runtime. WIBU-SYSTEMS CodeMeter Runtime is part of the installation packages of several Festo products.FluidDraw < 6.2c and CIROS <= 7.0.6 contain a vulnerable version of WIBU-SYSTEMS CodeMeter Runtime.
Impact
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 8038980 | CIROS <=6.4.6 (before 2022-09-15) | CIROS <=6.4.6 (before 2022-09-15) |
| 8140772, 8140773 | CIROS <=7.0.6 (before 2022-09-15) | CIROS <=7.0.6 (before 2022-09-15) |
| FluidDraw P5 vers:all/* | FluidDraw P5 vers:all/* | |
| FluidDraw P6 <6.2c | FluidDraw P6 <6.2c | |
| MES PC vers:all/* | MES PC vers:all/* |
Vulnerabilities
Expand / Collapse allIn WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.
Remediation
FluidDraw P5, FluidDraw P6
Avoid any FluidDraw installation with a FluidDraw installation package below version 6.2c.
Updated versions of FluidDraw are available on the Festo website.
In case of a FluidDraw installation package with a version below 6.2c:
- Do not use the WIBU CodeMeter package that is part of the FluidDraw installation package.
- Skip the CodeMeter installation step during the FluidDraw installation.
- Instead, use a current CodeMeter version from the WIBU website and install it separately.
- In case of an already installed vulnerable CodeMeter version, update all these WIBU CodeMeter installations with the current version of WIBU CodeMeter.
Please refer to the WIBU CodeMeter documentation and website for further details and mitigations on usage of WIBU CodeMeter Runtime before 7.30a.
CIROS
For future installations:
- Use a CIROS installer downloaded from [ip.festo-didactic.com/](https://ip.fe...
- Make sure it is downloaded after September 15, 2022
For existing installations:
- Update the WIBU CodeMeter Runtime separately to at least version 7.30a (downloaded from the WIBU Systems website).
- Refer to the WIBU CodeMeter documentation and website for further details and mitigations.
MES PC
If your copy of MES4 came preinstalled on a PC shipped before December 2022:
- Ensure the PC has at least CodeMeter Runtime 7.30a installed.
- If necessary, download the update from the WIBU Systems website.
Additional to the above
Festo strongly recommends:
- Restricting unprivileged access to machines running Festo software.
- Minimizing and protecting network access to connected devices using state-of-the-art techniques and processes.
For secure operation, follow the recommendations in the product manuals.
Acknowledgments
Festo SE & Co. KG thanks the following parties for their efforts:
- CERT@VDE for coordination and support with this publication (see https://certvde.com )
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 13.12.2022 12:50 | Initial revision. |
| 1.0.1 | 11.01.2024 11:00 | Adjust link to VDE Advisory |
| 1.0.2 | 01.10.2025 12:50 | Adjusted to VDE template. Changed title from "Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple Festo products" to "Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple products". |