Wibu-Systems CodeMeter Runtime

Plan PatchCVSS 9.1ICS-CERT ICSA-21-210-02Jul 13, 2021

SiemensMitsubishi ElectricCODESYSWAGO

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

WIBU Systems CodeMeter Runtime contains two vulnerabilities (CVE-2021-20093, CVE-2021-20094) in its network server. CVE-2021-20093 is a buffer over-read in the CmLAN network server that allows an unauthenticated remote attacker to read sensitive data from the CodeMeter Runtime process heap. CVE-2021-20094 is a denial-of-service vulnerability in the CmWAN server that allows an unauthenticated attacker to crash the CodeMeter.exe process. CodeMeter Runtime is embedded in multiple Siemens products for license management and is enabled by default. Successful exploitation could allow information disclosure or availability loss for dependent Siemens automation systems.

What this means

What could happen

An attacker on your network could read sensitive data from CodeMeter Runtime memory or crash the license server, which could disrupt operations for Siemens automation software that depends on license validation.

Who's at risk

Organizations running Siemens industrial automation software that relies on CodeMeter for license management, including PSS CAPE engineering environments, SICAM power system management, SIMATIC process control systems, SIMATIC WinCC OA HMI platforms, and SINEMA remote access servers. This affects engineering workstations, central process servers, and remote access gateways.

How it could be exploited

An attacker with network access to the CodeMeter Runtime network server (CmLAN port, typically enabled by default) could send a crafted request to trigger a buffer over-read to leak heap data, or send a malformed message to crash the CodeMeter.exe process. This would require the attacker to reach the port from the network—no valid license or credentials are required.

Prerequisites

Network access to CodeMeter Runtime network server (CmLAN port, default enabled)
No authentication or valid credentials required
CodeMeter Runtime version older than 7.21a deployed in your environment

Remotely exploitable over networkNo authentication requiredLow complexity attackAffects multiple critical Siemens industrial productsNo patch available for several affected products (PSS CAPE, SICAM 230, SIMATIC Information Server, SIMATIC Process Historian)Can crash license server, disrupting dependent systems

Exploitability

Some exploitation risk — EPSS score 8.2%

Affected products (18)

7 with fix8 pending3 EOL

ProductAffected VersionsFix Status

PSS(R)CAPECAPE 14 installations installed from material dated earlier than 2021-06-16No fix yet

SIMATIC PCS neo<V3.13.1

SIMATIC WinCC OA V3.17<V3.17 P0133.17 P013

SIMATIC WinCC OA V3.18<V3.18 P0023.18 P002

SIMIT Simulation Platform≥ V10.0 <V10.3 Upd 110.3 Upd1

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDDisable CodeMeter network server (CmLAN) if not needed; run CodeMeter as client-only with localhost binding

WORKAROUNDIf network server is required, configure host-based firewall to restrict CmLAN port access to trusted hosts only

WORKAROUNDFor CmWAN (remote web access): disable the feature if not in use; if required, deploy only behind a reverse proxy with user authentication

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CodeMeter Runtime to version 7.21a or later and apply updates to all dependent Siemens products that have patches available

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: SICAM 230, SIMATIC Information Server, SIMATIC Process Historian (incl. Process Historian OPC UA Server). Apply the following compensating controls:

HARDENINGIsolate Siemens automation systems on a separate network segment from business and internet-facing systems

CVEs (2)

CVE-2021-20093 CVE-2021-20094

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8dced0a0-8761-4c20-af6c-f6dff1b2d60f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.