Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple products

Plan Patch7.1FSA-202206Dec 13, 2022

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

WIBU-SYSTEMS CodeMeter Runtime, a licensing/protection component bundled in several Festo products, contains a file-handling vulnerability (CWE-59, likely symlink/path traversal) that allows a local attacker with unprivileged user access to write files to arbitrary locations. FluidDraw versions below 6.2c, CIROS versions 7.0.6 and earlier, and all versions of MES PC contain the vulnerable CodeMeter component. The vulnerability enables privilege escalation or system compromise without elevated credentials. Festo recommends restricting unprivileged local access and updating CodeMeter Runtime to version 7.30a or later. Some products (FluidDraw P5, CIROS) are end-of-life with no patched versions available; in these cases, the CodeMeter component must be updated separately.

What this means

What could happen

A local attacker with unprivileged access to a machine running vulnerable Festo software could modify or corrupt files on the system, potentially disrupting process simulations, engineering workflows, or manufacturing execution functions. This could compromise the integrity of control logic or operational data.

Who's at risk

Engineering teams and operations staff using Festo FluidDraw (hydraulic/pneumatic design software), CIROS (simulation environment), or MES PC (manufacturing execution system) on Windows workstations. Critical for organizations relying on these tools for control logic development, system design, or production planning, particularly those in water treatment, power generation, or manufacturing.

How it could be exploited

An attacker with a user account on a machine running vulnerable FluidDraw, CIROS, or MES PC can exploit a symlink or path traversal flaw in the bundled CodeMeter Runtime to write files to arbitrary locations. By crafting a malicious installation or leveraging the CodeMeter component during runtime, the attacker could overwrite system or application files without requiring elevated privileges.

Prerequisites

Local user account on the affected machine
FluidDraw P5 or P6 <6.2c, CIROS <=7.0.6, or MES PC with vulnerable CodeMeter Runtime installed
Ability to trigger CodeMeter operations (e.g., license check during application startup)

Local exploitation only (requires user account)Low attack complexityNo authentication required beyond user loginNo vendor patch available for some products (end-of-life)Affects file integrity and system availability

Affected products (5)

3 with fix1 pending1 EOL

ProductAffected VersionsFix Status

MES PCAll versionsNo fix yet

FluidDraw P6 <6.2c<6.2c6.2c

FluidDraw P5All versionsNo fix (EOL)

CIROS <=6.4.6 (before 2022-09-15)≤ 6.4.6(before 2022-09-15)versions released after 2022-09-15

CIROS <=7.0.6 (before 2022-09-15)≤ 7.0.6(before 2022-09-15)versions released after 2022-09-15

Remediation & Mitigation

0/6

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

MES PC

HOTFIXFor MES PC pre-installed on systems shipped before December 2022, verify CodeMeter Runtime version 7.30a or later is installed

All products

HOTFIXUpdate FluidDraw to version 6.2c or later

HOTFIXUpdate CIROS to a version released after 2022-09-15 (download from https://ip.festo-didactic.com/Infoportal/CIROS/EN/Download.html)

HOTFIXUpdate WIBU CodeMeter Runtime to version 7.30a or later on all machines running vulnerable Festo products (download from WIBU Systems website)

Mitigations - no patch available

0/2

FluidDraw P5 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGRestrict local user access on machines running Festo software to only authorized engineering and operations personnel

HARDENINGSegment Festo software systems from general office networks using a dedicated engineering network or air gap where feasible

CVEs (1)

CVE-2021-41057

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2fb101af-c317-4571-abf5-0dd03f22b587