Wibu-Systems CodeMeter (Update F)

Act Now10ICS-CERT ICSA-20-203-01Aug 20, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Wibu-Systems CodeMeter contains multiple critical vulnerabilities in its WebSockets API that allow unauthenticated remote attackers to forge license files, read heap memory, cause denial of service, and potentially execute arbitrary code. The vulnerabilities stem from weak cryptographic signature validation (CWE-346, CWE-347), insufficient input validation (CWE-20, CWE-404), insufficient key length (CWE-326), and buffer overflow conditions (CWE-805). CodeMeter is a widely used software licensing and protection platform embedded in control system software from dozens of vendors. Successful exploitation could allow an attacker to disable third-party software, alter licensing restrictions, crash the runtime, or gain code execution on hosts running CodeMeter.

What this means

What could happen

An attacker could forge license files, execute remote commands on the CodeMeter runtime, read sensitive data from memory, or cause it to crash, disrupting any third-party software (engineering tools, control software, HMIs) that relies on CodeMeter for licensing and protection.

Who's at risk

This affects any organization using Wibu-Systems CodeMeter for software licensing and protection, including manufacturers and operators of industrial control systems, engineering workstations, HMIs, and PLCs from vendors such as ABB, Bosch, Siemens, Rockwell Automation, Schneider Electric, Phoenix Contact, Dräger, Eaton, PILZ, WAGO, and others. Any facility using CODESYS-based controllers or protected proprietary software dependent on CodeMeter is at risk.

How it could be exploited

An attacker with network access to a device running CodeMeter can send specially crafted requests to the WebSockets API (default port 22350). No authentication is required. The attacker could send malformed data to trigger buffer overflows (CWE-805), forge cryptographic signatures (CWE-346, CWE-347), or bypass access controls (CWE-404) to alter license files, read heap memory, or achieve code execution on the host running CodeMeter.

Prerequisites

Network reachability to CodeMeter WebSockets API (default port 22350)
CodeMeter Runtime running with WebSockets API enabled
No authentication required for exploitation
Vulnerable CodeMeter version: 7.10 or earlier, 7.10a or earlier, 6.90 or earlier, or 6.81 or earlier

Remotely exploitableNo authentication requiredLow attack complexityHigh CVSS score (10.0)Multiple attack vectors (code execution, data exfiltration, denial of service)Default WebSockets API port exposed on many systemsWide vendor ecosystem dependency

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

CodeMeter: All< 7.10a; < 6.90; < 7.10; < 6.81No fix yet

Remediation & Mitigation

0/7

Do now

0/3

WORKAROUNDDisable the WebSockets API on all CodeMeter instances that do not require it

WORKAROUNDConfigure CodeMeter to run only as a client, not as a server

HARDENINGPlace CodeMeter devices behind firewall rules that restrict inbound access to port 22350 (WebSockets API) to only trusted engineering workstations and control networks

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CodeMeter Runtime to the latest patched version released by Wibu-Systems

WORKAROUNDReplace internal WebSockets API calls with the new REST API where applicable

HARDENINGApply Wibu-Systems AxProtector protection to CodeMeter Runtime

Long-term hardening

0/1

HARDENINGIsolate control system networks running CodeMeter from the business network

CVEs (6)

CVE-2020-14509 CVE-2020-14517 CVE-2020-14519 CVE-2020-14513 CVE-2020-14515 CVE-2020-16233

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e5416839-1c03-482c-8aea-2f4bb3ece8cd