VDE-2023-032 | CERT@VDE

2023-11-09 08:42 (CET) VDE-2023-032

Weidmüller: WIBU Vulnerability in multiple Products

Share: Email | Twitter

ID

VDE-2023-032

Published

2023-11-09 08:42 (CET)

Last update

2023-11-09 08:42 (CET)

Vendor(s)

Weidmueller Interface GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
2682630000	IOT-GW30-4G-EU (with u-OS)	2.0.0 , 2.0.1
2682620000	IOT-GW30 (with u-OS)	2.0.0 , 2.0.1
1334950000	UC20-WL2000-AC (with u-OS)	2.0.0 , 2.0.1
1334990000	UC20-WL2000-IOT (with u-OS)	2.0.0 , 2.0.1
2660130000	u-create studio	<= 4.2.4

Summary

Multiple Weidmueller products are affected by recent WIBU vulnerability.

CVE ID

CVE-2023-3935

Last Update:

Sept. 19, 2023, 8:50 a.m.

Severity

9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Weakness

Out-of-bounds Write (CWE-787)

Summary

A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.

Details

cert.vde.com

Impact

An attacker exploiting the vulnerability in WIBU CodeMeter Runtime in server mode could gain full access to the affected server via network access without any user interaction.

Exploiting the vulnerability in WIBU CodeMeter Runtime in non-networked workstation mode could lead to a privilege elevation and full admin access on this workstation.

Solution

Mitigation

u-create studio:
Disabling the network server function within CodeMeter would mitigate the vulnerability. To disable this function
please refer to the following steps:

1. Navigate to the CodeMeter WebAdmin Website
2. Select option Settings > Server > Server access
3. Choose option “deactivate” in section “network server”
4. Click “Apply” button on the bottom of the website

Remediation

For the affected u-control web Controllers and IoT-Gateways please update the firmware to at least version
2.0.2. The firmware update can be obtained from www.weidmueller.com.

For u-create studio please update the CodeMeter control center software to at least version 7.60c. The
Codemeter control center is included in u-create studio and is installed on your computer in parallel. The
Codemeter control center update can be obtained from WIBU-SYSTEMS homepage. Look for “CodeMeter User Runtime für Windows” on WIBU-Website.

Find below appropriate patched firmware versions for all affected products.

Product number	Product name	Patched in version
1334950000	UC20-WL2000-AC (with u-OS)	≥ 2.0.2
1334990000	UC20-WL2000-IOT (with u-OS)	≥ 2.0.2
2682620000	IOT-GW30 (with u-OS)	≥ 2.0.2
2682630000	IOT-GW30-4G-EU (with u-OS)	≥ 2.0.2
2660130000	u-create studio with CodeMeter control center	≥ 7.60c

Reported by

The vulnerability was discovered and reported by WIBU-SYSTEMS AG.
Weidmueller thanks CERT@VDE for the support with this publication.