Wibu-Systems CodeMeter Runtime
Act Now9.1ICS-CERT ICSA-21-210-02Jul 13, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
WIBU Systems CodeMeter Runtime contains two vulnerabilities (CVE-2021-20093, CVE-2021-20094) in its network server. CVE-2021-20093 is a buffer over-read in the CmLAN network server that allows an unauthenticated remote attacker to read sensitive data from the CodeMeter Runtime process heap. CVE-2021-20094 is a denial-of-service vulnerability in the CmWAN server that allows an unauthenticated attacker to crash the CodeMeter.exe process. CodeMeter Runtime is embedded in multiple Siemens products for license management and is enabled by default. Successful exploitation could allow information disclosure or availability loss for dependent Siemens automation systems.
What this means
What could happen
An attacker on your network could read sensitive data from CodeMeter Runtime memory or crash the license server, which could disrupt operations for Siemens automation software that depends on license validation.
Who's at risk
Organizations running Siemens industrial automation software that relies on CodeMeter for license management, including PSS CAPE engineering environments, SICAM power system management, SIMATIC process control systems, SIMATIC WinCC OA HMI platforms, and SINEMA remote access servers. This affects engineering workstations, central process servers, and remote access gateways.
How it could be exploited
An attacker with network access to the CodeMeter Runtime network server (CmLAN port, typically enabled by default) could send a crafted request to trigger a buffer over-read to leak heap data, or send a malformed message to crash the CodeMeter.exe process. This would require the attacker to reach the port from the network—no valid license or credentials are required.
Prerequisites
- Network access to CodeMeter Runtime network server (CmLAN port, default enabled)
- No authentication or valid credentials required
- CodeMeter Runtime version older than 7.21a deployed in your environment
Remotely exploitable over networkNo authentication requiredLow complexity attackAffects multiple critical Siemens industrial productsNo patch available for several affected products (PSS CAPE, SICAM 230, SIMATIC Information Server, SIMATIC Process Historian)Can crash license server, disrupting dependent systems
Exploitability
Moderate exploit probability (EPSS 8.2%)
Affected products (10)
6 with fix1 pending3 EOL
ProductAffected VersionsFix Status
PSS(R)CAPECAPE 14 installations installed from material dated earlier than 2021-06-16No fix yet
SIMATIC PCS neo<V3.13.1
SIMATIC WinCC OA V3.17<V3.17 P0133.17 P013
SIMATIC WinCC OA V3.18<V3.18 P0023.18 P002
SIMIT Simulation Platform≥ V10.0 <V10.3 Upd 110.3 Upd1
SINEC INS<V1.0.1 Update 11.0.1 Update 1
SINEMA Remote Connect Server<V3.0 SP23.0 SP2
SICAM 230All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3WORKAROUNDDisable CodeMeter network server (CmLAN) if not needed; run CodeMeter as client-only with localhost binding
WORKAROUNDIf network server is required, configure host-based firewall to restrict CmLAN port access to trusted hosts only
WORKAROUNDFor CmWAN (remote web access): disable the feature if not in use; if required, deploy only behind a reverse proxy with user authentication
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate CodeMeter Runtime to version 7.21a or later and apply updates to all dependent Siemens products that have patches available
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: SICAM 230, SIMATIC Information Server, SIMATIC Process Historian (incl. Process Historian OPC UA Server). Apply the following compensating controls:
HARDENINGIsolate Siemens automation systems on a separate network segment from business and internet-facing systems
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8dced0a0-8761-4c20-af6c-f6dff1b2d60f