VDE-2025-001 | CERT@VDE

2025-01-21 12:00 (CET) VDE-2025-001

CODESYS Key physical side-channel vulnerability

Share: Email | Twitter

ID

VDE-2025-001

Published

2025-01-21 12:00 (CET)

Last update

2025-01-21 08:39 (CET)

Vendor(s)

CODESYS GmbH

Product(s)

Article No°	Product Name	Affected Version(s)
	CODESYS Key series 3	< 4.52

Summary

The CODESYS Key USB dongle, which is based on WIBU CodeMeter technology, is affected by a physical side-channel vulnerability.

CVE ID

CVE-2024-45678

Last Update:

13. Januar 2025 11:47

Severity

4.2 (CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Weakness

Observable Discrepancy (CWE-203)

Summary

Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue. Other uses of an Infineon cryptographic library may also be affected.

Details

nvd.nist.gov

Impact

The CODESYS Key is a USB dongle for secure storage of your CODESYS software licenses based on WIBU CodeMeter technology. The manufacturer WIBU-SYSTEMS AG has reported a physical side-channel vulnerability in a cryptographic library from Infineon Technologies that is part of the WIBU CmDongle firmware and thus also in the affected CODESYS Keys.

The exploitation of this vulnerability has been classified as complex. Potential attackers need physical access to the CODESYS Key and special equipment to exploit the vulnerability.

For more details see the WIBU-SYSTEMS AG Security Advisory WIBU-100094 on https://www.wibu.com/support/security-advisories.html.

In addition to licensing, the CODESYS Key can also be used for secure storage of secret data. The identified CVSS is the highest rating that can occur in combination with the various applications in the CODESYS software. If the CODESYS key is also used with applications from other vendors, the rating may differ. In this case, the respective vendor and/or the WIBU-SYSTEMS AG security advisory should be consulted.

Solution

Mitigation

Regardless of the vulnerability described here, CODESYS GmbH recommends that physical access to the CODESYS Key should only be granted to authorized persons. Especially in the case of productive control systems, removal of the CODESYS Key can affect the controlled machine or process.

This generally recommended restriction of access also reduces the attack surface for this vulnerability, as its exploitation requires physical access.

Remediation

Update the CODESYS Key firmware to version 4.52.

Updating the firmware also protects the future usage of additional CODESYS Key features by the CODESYS software and general usage by other software. The update can be installed, for example, via the CodeMeter Control Center.

Reported by

CERT@VDE coordinated with CODESYS