Wibu-Systems CodeMeter (Update F)

Plan PatchCVSS 10ICS-CERT ICSA-20-203-01Aug 20, 2020

SiemensSchneider ElectricMitsubishi ElectricWAGOEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Wibu-Systems CodeMeter contains multiple critical vulnerabilities in its WebSockets API that allow unauthenticated remote attackers to forge license files, read heap memory, cause denial of service, and potentially execute arbitrary code. The vulnerabilities stem from weak cryptographic signature validation (CWE-346, CWE-347), insufficient input validation (CWE-20, CWE-404), insufficient key length (CWE-326), and buffer overflow conditions (CWE-805). CodeMeter is a widely used software licensing and protection platform embedded in control system software from dozens of vendors. Successful exploitation could allow an attacker to disable third-party software, alter licensing restrictions, crash the runtime, or gain code execution on hosts running CodeMeter.

What this means

What could happen

An attacker could forge license files, execute remote commands on the CodeMeter runtime, read sensitive data from memory, or cause it to crash, disrupting any third-party software (engineering tools, control software, HMIs) that relies on CodeMeter for licensing and protection.

Who's at risk

This affects any organization using Wibu-Systems CodeMeter for software licensing and protection, including manufacturers and operators of industrial control systems, engineering workstations, HMIs, and PLCs from vendors such as ABB, Bosch, Siemens, Rockwell Automation, Schneider Electric, Phoenix Contact, Dräger, Eaton, PILZ, WAGO, and others. Any facility using CODESYS-based controllers or protected proprietary software dependent on CodeMeter is at risk.

How it could be exploited

An attacker with network access to a device running CodeMeter can send specially crafted requests to the WebSockets API (default port 22350). No authentication is required. The attacker could send malformed data to trigger buffer overflows (CWE-805), forge cryptographic signatures (CWE-346, CWE-347), or bypass access controls (CWE-404) to alter license files, read heap memory, or achieve code execution on the host running CodeMeter.

Prerequisites

Network reachability to CodeMeter WebSockets API (default port 22350)
CodeMeter Runtime running with WebSockets API enabled
No authentication required for exploitation
Vulnerable CodeMeter version: 7.10 or earlier, 7.10a or earlier, 6.90 or earlier, or 6.81 or earlier

Remotely exploitableNo authentication requiredLow attack complexityHigh CVSS score (10.0)Multiple attack vectors (code execution, data exfiltration, denial of service)Default WebSockets API port exposed on many systemsWide vendor ecosystem dependency

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (16)

9 with fix1 pending6 EOL

ProductAffected VersionsFix Status

SIMATIC PCS neo< V3.0 SP1 Update 13.0 SP1 Update 1

SIMATIC WinCC OA< V3.17 P0073.17 P007

SIMIT Simulation Platform≥ V10.0 and < V10.2 Upd110.2 Upd1

SINEC INS< V1.0 SP11.0 SP1

SINEMA Remote Connect< V3.03.0

Remediation & Mitigation

0/7

Do now

0/3

WORKAROUNDDisable the WebSockets API on all CodeMeter instances that do not require it

WORKAROUNDConfigure CodeMeter to run only as a client, not as a server

HARDENINGPlace CodeMeter devices behind firewall rules that restrict inbound access to port 22350 (WebSockets API) to only trusted engineering workstations and control networks

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CodeMeter Runtime to the latest patched version released by Wibu-Systems

WORKAROUNDReplace internal WebSockets API calls with the new REST API where applicable

HARDENINGApply Wibu-Systems AxProtector protection to CodeMeter Runtime

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: PSS CAPE Protection Simulation Platform, SICAM 230, E+PLC400 All versions, E+PLC100 All versions, E+PLC_Setup All versions, EcoStruxure Machine Expert (formerly known as SoMachine and SoMachine Motion) All versions. Apply the following compensating controls:

HARDENINGIsolate control system networks running CodeMeter from the business network

CVEs (6)

CVE-2020-14509 CVE-2020-14517 CVE-2020-14519 CVE-2020-14513 CVE-2020-14515 CVE-2020-16233

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e5416839-1c03-482c-8aea-2f4bb3ece8cd

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.