| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| e!COCKPIT engineering software installation bundle | <= 1.11.2.0 | |
| WAGO-I/O-Pro (CODESYS 2.3) engineering software installation | 2.3.9.45 <= 2.3.9.70 |
UPDATE A 26.09.2023:
Changed affected Version of e!Cockpit from < 1.11.2.0 to <= 1.11.2.0
Vulnerabilities are reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations. All currently existing e!COCKPIT installation bundles and WAGO-I/O-Pro (CODESYS 2.3) installation bundles are affected with vulnerable versions of WIBU-SYSTEMS Codemeter.
UPDATE B 20.11.2023:
Removed CVE-2023-4701 because it was revoked.
A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.
WAGO controllers and IO-Devices are not affected by WIBU-SYSTEMS Codemeter vulnerabilities. However, due to compatibility reasons to the CODESYS Store, the e!COCKPIT and engineering software is bundled with a WIBU-SYSTEMS Codemeter installation.
Mitigation
For further details on risk mitigation and impact of this vulnerability, please refer to the official WIBU-SYSTEMS Product Security Advisory WIBU-230704-01 at Website https://www.wibu.com/support/security-advisories.html.
Remediation
Until an update is available for e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) we strongly encourage users to update WIBU-SYSTEMS Codemeter by installing the latest available stand-alone WIBU-SYSTEMS Codemeter Version. (https://www.wibu.com/support/user/user-software.html).
Coordination done by CERT@VDE.