WIBU SYSTEMS AG WibuKey Digital Rights Management (Update D)

Act Now10ICS-CERT ICSA-19-043-03Feb 12, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

WIBU SYSTEMS AG WibuKey Digital Rights Management (DRM) library contains multiple vulnerabilities affecting industrial control software products that use it for license management. The vulnerabilities are related to improper input validation, buffer overflow, and information disclosure in the WibuKey component. Affected products include Siemens SICAM 230, SISHIP EMCS IMAC IPMS, and WinCC OA; Phoenix Contact MEVIEW3; COPA-DATA zenon and straton workbench; and Sprecher Automation SPRECON-V460 products. Successful exploitation may allow information disclosure, privilege escalation, or remote code execution on systems using these products.

What this means

What could happen

An attacker could exploit these vulnerabilities to run arbitrary code on engineering workstations, HMIs, or control servers, enabling them to alter setpoints, steal sensitive plant configurations, or disable operations. The WibuKey DRM library is fundamental to license verification in industrial software, so compromise could affect multiple control functions simultaneously.

Who's at risk

Water utilities and electric utilities using Siemens control systems (SICAM 230, SISHIP EMCS, IMAC, IPMS), Phoenix Contact visualization (MEVIEW3), COPA-DATA HMI/SCADA (zenon, straton workbench), or Sprecher Automation process control (SPRECON-V460) are at risk. Engineers and operators using these systems for power distribution, water treatment, or process monitoring could be compromised.

How it could be exploited

An attacker with network access to a system running one of the affected products could send specially crafted input to the WibuKey DRM library to trigger a buffer overflow or information disclosure. If the product is internet-facing or reachable from an untrusted network, no local access is required. The attacker does not need credentials, as the vulnerability exists in the license verification mechanism itself.

Prerequisites

Network access to the affected industrial software product (no specific port required if embedded in the application)
The affected product must be installed and running WibuKey DRM library version with the vulnerability
No credentials or special configuration required for exploitation

Remotely exploitableNo authentication requiredLow complexity attackCritical CVSS score (10.0)High EPSS score (79.3%)Affects multiple widely-used industrial control software platformsNo patch available for most affected products

Exploitability

High exploit probability (EPSS 79.3%)

Affected products (9)

1 with fix4 pending4 EOL

ProductAffected VersionsFix Status

3.16: All< P007No fix yet

Phoenix Contact MEVIEW3: All≤ 3.14.25 | 3.15.18No fix yet

3.14: All< P025No fix yet

3.15: All< P018No fix yet

Siemens SICAM 230: All≤ 7.20No fix (EOL)

Sprecher Automation SPRECON-V460 products: All≤ 7.20 (7.50 and 7.60 may also be affected if WibuKey was installed manually)No fix (EOL)

COPA-DATA straton workbench: All≤ 9.2No fix (EOL)

COPA-DATA zenon products: All≤ 7.20 (7.50 and 7.60 may also be affected if WibuKey was installed manually)No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/4

HOTFIXUpdate to the latest WIBU SYSTEMS WibuKey software library from https://www.wibu.com/support/user/downloads-user-software.html

HOTFIXFor Siemens SISHIP products, contact Siemens customer support to obtain and deploy the updated software version that resolves WibuKey vulnerabilities

HARDENINGSegment engineering workstations and HMI systems running affected products from the general corporate network to limit remote access

HARDENINGRestrict network access to ports and protocols used by affected products to only authorized engineering and control networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor for suspicious connections or license validation errors in affected product logs, which may indicate exploitation attempts

CVEs (3)

CVE-2018-3989 CVE-2018-3990 CVE-2018-3991

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3963bd8d-ae11-41bd-b2a2-b0df7836a17e