| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| 2660130000 | u-create studio | = 1.18.b |
| 2660130000 | u-create studio | = 1.20.2 |
WIBU-SYSTEMS report multiple vulnerabilities in their CodeMeter Runtime software. As part of the Weidmüller u-create studio installation the WIBU-SYSTEMS CodeMeter is installed by default. As the u-create studio installation bundle contains vulnerable versions of WIBU-SYSTEMS CodeMeter, the u-create studio is affected by a subset of these vulnerabilities. For details refer to section "Impact".
Multiple memory corruption vulnerabilities exist in CodeMeter (All versions prior to 7.10) where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities.
Protocol encryption can be easily broken for CodeMeter (All versions prior to 6.90 are affected, including Version 6.90 or newer only if CodeMeter Runtime is running as server) and the server accepts external connections, which may allow an attacker to remotely communicate with the CodeMeter API.
An attacker could send a specially crafted packet that could have CodeMeter (All versions prior to 7.10) send back packets containing data from the heap.
This vulnerability allows an attacker to use the internal WebSockets API for CodeMeter (All versions prior to 7.00 are affected, including Version 7.0 or newer with the affected WebSockets API still enabled. This is especially relevant for systems or devices where a web browser is used to access a web server) via a specifically crafted Java Script payload, which may allow alteration or creation of license files for when combined with CVE-2020-14515.
CodeMeter (All versions prior to 6.90 when using CmActLicense update files with CmActLicense Firm Code) has an issue in the license-file signature checking mechanism, which allows attackers to build arbitrary license files, including forging a valid license file as if it were a valid license file of an existing vendor. Only CmActLicense update files with CmActLicense Firm Code are affected.
The stated Weidmüller product is supplied with the WIBU-SYSTEMS CodeMeter Runtime software in version 6.81, which contains the following vulnerabilities:
| WIBU Security Advisory | CVE Number | Description |
| WIBU- 200521-01 | CVE-2020- 14513 Score: 7.5 |
not affected (Fixed in 6.81. Weidmueller uses 6.81 at least.) |
| WIBU- 200521-02 | CVE-2020- 14519 Score: 8.1 |
CodeMeter Runtime WebSockets API: Missing Origin Validation |
| WIBU- 200521-03 | CVE-2020- 14509 Score: 10.0 |
CodeMeter Runtime DoS due to Buffer Access with Incorrect Length Value |
| WIBU- 200521-04 | CVE-2020- 14517 Score: 9.4 |
CodeMeter Runtime API: Inadequate Encryption Strength and Authentication |
| WIBU- 200521-05 | CVE-2020- 16233 Score: 7.5 |
CodeMeter Runtime API: Heap Leak |
| WIBU- 200521-06 | CVE-2020- 14515 Score: 7.4 |
Improper Signature Verification of CmActLicense update files for CmActLicense Firm Code |
Runtime software for Weidmüller controllers is not affected, because the critical interfaces are disabled.
Solution
Mitigation
Use general security best practices to protect systems from local and network attacks.
For versions prior to 7.10a run CodeMeter Runtime as client only and use localhost as binding for the
CodeMeter communication. With binding to localhost an attack is no longer possible via remote network
connection. This is the default configuration.
If CodeMeter Runtime is required to run as network server use the CodeMeter License Access
Permissions feature to restrict the usage of CodeMeter API.
For further impact information and risk mitigation, please refer to the official WIBU-SYSTEMS Advisory Website at https://www.wibu.com/support/security-advisories.html
Sharon Brizinov and Tal Keren of Claroty
WIBU-Systems
Coordinated by CERT@VDE, CISA and BSI