VDE-2023-036 | CERT@VDE

2023-11-28 08:00 (CET) VDE-2023-036

FESTO: Multiple products affected by WIBU Codemeter vulnerability (Update A)

Share: Email | Twitter

ID

VDE-2023-036

Published

2023-11-28 08:00 (CET)

Last update

2023-12-05 10:07 (CET)

Vendor(s)

Festo SE & Co. KG
Festo Didactic SE

Product(s)

Article No°	Product Name	Affected Version(s)
8038980	CIROS 6 Studio / Education	6.0.0 <= 6.4.6
8140772	CIROS 7 Studio / Education	7.0.0 <= 7.1.7
8140773	CIROS 7 Studio / Education	7.0.0 <= 7.1.7
8074657	Festo Automation Suite	<= 2.6.0.481
8085497	FluidDraw 365	<= 7.0a
8085496	FluidDraw P6	<= 6.2k
	FluidSIM	= 5.x
8148657	FluidSIM	6 <= 6.1c
8148658	FluidSIM	6 <= 6.1c
8148659	FluidSIM	6 <= 6.1c
8148812	FluidSIM	6 <= 6.1c
8148813	FluidSIM	6 <= 6.1c
8148814	FluidSIM	6 <= 6.1c
	MES PC	< December 2023

Summary

A vulnerability in the Wibu CodeMeter Runtime, which is part of the installation packages of
several Festo products, was found. This could lead to remote code execution and escalation of
privileges giving full admin access on the host system.

Update A, 2023-12-05

removed "MES4 (v3)", "MES4 (<=v2)" and Energy-PC from affected products as they do not install the affected WIBU Codemeter release.

CVE ID

CVE-2023-3935

Last Update:

Sept. 19, 2023, 8:50 a.m.

Severity

9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Weakness

Out-of-bounds Write (CWE-787)

Summary

A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.

Details

cert.vde.com

Impact

An attacker exploiting the vulnerability in WIBU CodeMeter Runtime in server mode could gain full access to the affected server via network access without any user interaction.

Exploiting the vulnerability in WIBU CodeMeter Runtime in non-networked workstation mode could lead to a privilege elevation and full access on this workstation for an already authenticated user (logged in locally to the PC).

Solution

Remediation

Festo Automation Suite: Fix scheduled for Mid-2024.
All other affected products: Update Codemeter to version >= 7.60c.

General recommendations

Users running communication over an untrusted network who require full protection should switch to an alternative solution such as running the communication over a VPN.

Festo strongly recommends to minimize and protect network access to connected devices with state of the art techniques and processes.

As part of a security strategy, Festo recommends the following general defense measures to reduce the risk of exploits:

- Use devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
- Use firewalls to protect and separate the control system network from other networks - Use VPN (Virtual Private Networks) tunnels if remote access is required
- Activate and apply user management and password features
- Use encrypted communication links
- Limit the access to both development and control system by physical means, operating system features, etc.
- Protect both development and control system by using up to date virus detecting solutions

Reported by

CERT@VDE coordinated with Festo.