Share: Email | Twitter

ID

VDE-2023-042

Published

2023-09-25 12:00 (CEST)

Last update

2023-11-20 09:37 (CET)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
e!COCKPIT engineering software installation bundle <= 1.11.2.0
WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.45 <= 2.3.9.70

Summary

UPDATE A 26.09.2023:
Changed affected Version of e!Cockpit from < 1.11.2.0 to <= 1.11.2.0

Vulnerabilities are reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations. All currently existing e!COCKPIT installation bundles and WAGO-I/O-Pro (CODESYS 2.3) installation bundles are affected with vulnerable versions of WIBU-SYSTEMS Codemeter.

UPDATE B 20.11.2023:
Removed CVE-2023-4701 because it was revoked.


Last Update:

Sept. 19, 2023, 8:50 a.m.

Weakness

Out-of-bounds Write  (CWE-787) 

Summary

A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.


Impact

WAGO controllers and IO-Devices are not affected by WIBU-SYSTEMS Codemeter vulnerabilities. However, due to compatibility reasons to the CODESYS Store, the e!COCKPIT and engineering software is bundled with a WIBU-SYSTEMS Codemeter installation.

Solution

Mitigation

  • Use general security best practices to protect systems from local and network attacks.

For further details on risk mitigation and impact of this vulnerability, please refer to the official WIBU-SYSTEMS Product Security Advisory WIBU-230704-01 at Website https://www.wibu.com/support/security-advisories.html.

Remediation

Until an update is available for e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) we strongly encourage users to update WIBU-SYSTEMS Codemeter by installing the latest available stand-alone WIBU-SYSTEMS Codemeter Version. (https://www.wibu.com/support/user/user-software.html).

Reported by

Coordination done by CERT@VDE.