Siemans WIBU Systems CodeMeter

Act Now9ICS-CERT ICSA-23-257-06Sep 12, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

WIBU Systems CodeMeter Runtime contains a heap buffer overflow vulnerability (CVE-2023-3935) in license management software used by multiple Siemens industrial products. Successful exploitation allows unauthenticated remote code execution on systems where CodeMeter Runtime is configured as a server, or authenticated local privilege escalation on systems where it is configured as a client. Affects PSS(R)CAPE, PSS(R)E, PSS(R)ODMS, SIMATIC PCS neo, SIMATIC WinCC OA, SIMIT Simulation Platform, SINEC INS, and SINEMA Remote Connect.

What this means

What could happen

An attacker could remotely execute code on engineering workstations or servers running CodeMeter as a server, potentially gaining control of license management and process control systems. A local attacker with credentials could escalate to admin/root privileges on affected products.

Who's at risk

Manufacturing organizations using Siemens power systems engineering software (PSS CAPE, PSS E), operations and maintenance systems (PSS ODMS), control system software (SIMATIC PCS neo, WinCC OA), simulation platforms (SIMIT), or remote management tools (SINEC INS, SINEMA Remote Connect). Particularly critical for those running engineering workstations or centralized license servers that are networked.

How it could be exploited

If CodeMeter Runtime is configured as a server accessible over the network, an unauthenticated attacker can send a malformed request to trigger the heap buffer overflow and execute arbitrary code. If configured as a client, a local attacker with user credentials can exploit the vulnerability to gain system-level privileges, potentially allowing them to modify control system parameters or stop operations.

Prerequisites

Network access to CodeMeter Runtime when configured as server (typically port 22350 or other configured ports)
Local system access with user-level credentials when CodeMeter Runtime is configured as client
CodeMeter Runtime version prior to 7.60c

remotely exploitable (when configured as server)no authentication required for remote exploitationlow complexity attackaffects industrial control and engineering systemsmultiple products without available fixesaffects license management critical to system operation

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (14)

9 with fix5 pending

ProductAffected VersionsFix Status

PSS(R)CAPE V14<V14.2023-08-23No fix yet

PSS(R)CAPE V15<V15.0.2215.0.22

PSS(R)E V34<V34.9.634.9.6

PSS(R)E V35<V35.6.135.6.1

PSS(R)ODMS V13.0All versionsNo fix yet

PSS(R)ODMS V13.1<V13.1.12.113.1.12.1

SIMATIC PCS neo V3All versionsNo fix yet

SIMATIC PCS neo V4.0All versionsNo fix yet

Remediation & Mitigation

0/8

Do now

0/3

SIMIT Simulation Platform

HARDENINGFor SIMIT Simulation Platform: ensure only trusted persons have access to the system and avoid configuration of additional local accounts.

All products

WORKAROUNDIf CodeMeter Runtime is configured as a server: implement network-level access controls to limit remote access to the system; restrict inbound connections to CodeMeter Runtime ports to only authorized engineering workstations and management systems.

HARDENINGIf CodeMeter Runtime is configured as a client: restrict local system access to trusted personnel only and avoid creating additional local user accounts.

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

PSS(R)CAPE V15

HOTFIXUpdate PSS(R)CAPE V15 to version 15.0.22 or later, PSS(R)E V34 to 34.9.6 or later, PSS(R)E V35 to 35.6.1 or later, PSS(R)ODMS V13.1 to 13.1.12.1 or later, SIMATIC WinCC OA V3.17 to 3.17 P030 or later, V3.18 to 3.18 P021 or later, V3.19 to 3.19 P006 or later, and SIMIT Simulation Platform to 11.2 or later.

PSS(R)CAPE V14

HOTFIXFor PSS(R)CAPE V14, PSS(R)E V35, PSS(R)ODMS V13.0, and SIMIT Simulation Platform: manually install WIBU Systems CodeMeter Runtime V7.60c or later version from https://www.wibu.com/support/user/user-software.html

SINEC INS

HOTFIXUpdate SINEC INS to version 1.0 SP2 Update 2 or later.

Long-term hardening

0/2

HARDENINGSegment industrial control networks from business networks using firewalls; do not expose CodeMeter Runtime or dependent systems to the internet.

HARDENINGIf remote access to engineering systems is required, use VPN or other secure remote access methods with proper authentication and monitoring.

CVEs (1)

CVE-2023-3935

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f2d578d2-9522-4d49-acd4-a35b3dc0977f