Summary
Multiple vulnerabilities were reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations. All currently existing e!COCKPIT installation bundles and WAGO-I/O-Pro (CODESYS 2.3) installation bundles with Version 2.3.9.46, 2.3.9.47, 2.3.9.49, 2.3.9.53, 2.3.9.55, 2.3.9.61 and 2.3.9.66 contain vulnerable versions of WIBU-SYSTEMS Codemeter.
Impact
WAGO controllers and IO-Devices are not affected by WIBU-SYSTEMS Codemeter vulnerabilities. However, due to compatibility reasons to the 3S CODESYS Store, the e!COCKPIT and engineering software is bundled with a WIBU-SYSTEMS Codemeter installation.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| WAGO-I/O-Pro (CODESYS 2.3) engineering software 2.3.9.46 | WAGO-I/O-Pro (CODESYS 2.3) engineering software 2.3.9.46 | |
| WAGO-I/O-Pro (CODESYS 2.3) engineering software 2.3.9.47 | WAGO-I/O-Pro (CODESYS 2.3) engineering software 2.3.9.47 | |
| WAGO-I/O-Pro (CODESYS 2.3) engineering software 2.3.9.49 | WAGO-I/O-Pro (CODESYS 2.3) engineering software 2.3.9.49 | |
| WAGO-I/O-Pro (CODESYS 2.3) engineering software 2.3.9.53 | WAGO-I/O-Pro (CODESYS 2.3) engineering software 2.3.9.53 | |
| WAGO-I/O-Pro (CODESYS 2.3) engineering software 2.3.9.55 | WAGO-I/O-Pro (CODESYS 2.3) engineering software 2.3.9.55 | |
| WAGO-I/O-Pro (CODESYS 2.3) engineering software 2.3.9.61 | WAGO-I/O-Pro (CODESYS 2.3) engineering software 2.3.9.61 | |
| WAGO-I/O-Pro (CODESYS 2.3) engineering software 2.3.9.66 | WAGO-I/O-Pro (CODESYS 2.3) engineering software 2.3.9.66 | |
| e!COCKPIT engineering software installation bundles <V1.10 | e!COCKPIT engineering software installation bundles <V1.10 |
Vulnerabilities
Expand / Collapse allA buffer over-read vulnerability exists in Wibu-Systems CodeMeter versions < 7.21a. An unauthenticated remote attacker can exploit this issue to disclose heap memory contents or crash the CodeMeter Runtime Server.
A denial of service vulnerability exists in Wibu-Systems CodeMeter versions < 7.21a. An unauthenticated remote attacker can exploit this issue to crash the CodeMeter Runtime Server.
Mitigation
- Use general security best practices to protect systems from local and network attacks.
- Run CodeMeter as client only and use localhost as binding for the CodeMeter communication
- With binding to localhost an attack is no longer possible via remote network connection. The network server is disabled by default.
- If it is not possible to disable the network server, using a host-based firewall to restrict access to the CmLAN port can reduce the risk.
- The CmWAN server is disabled by default. Please check if CmWAN is enabled and disable the feature if it is not needed.
- Run the CmWAN server only behind a reverse proxy with user authentication to prevent attacks from unauthenticated users.
- The risk of an unauthenticated attacker can be further reduced by using a host-based firewall that only allows the reverse proxy to access the CmWAN port.
For further impact information and risk mitigation, please refer to the official WIBU-SYSTEMS Advisory Website at wibu.com/support/security-advisories....
Remediation
We strongly encourage e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) users to update WIBU-SYSTEMS Codemeter by installing the latest available stand-alone WIBU-SYSTEMS Codemeter Version.
During the WIBU-SYSTEMS Codemeter installation process, refer to the recommended setup settings according to the WIBU-SYSTEMS advisories, a brief summary is provided in the chapter mitigation. Please check for updates and details that may not be included in this document.
WAGO will provide updated e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) setup routines with the latest WIBU-SYSTEMS Codemeter version in Q4/2021.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 31.08.2021 09:02 | Initial revision. |
| 2 | 14.05.2025 14:28 | Fix: firmware category, added distribution |