FESTO Automation Suite, FluidDraw, and Festo Didactic Products

Act Now9.8ICS-CERT ICSA-25-182-02Nov 28, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability exists in the Wibu CodeMeter Runtime library, which is embedded in several Festo industrial automation products including Festo Automation Suite, FluidDraw, FluidSIM, CIROS Studio/Education, and MES-PC. The vulnerability is an out-of-bounds write (CWE-787) in CodeMeter Runtime when operating in server mode. An attacker can send a specially crafted network request to the CodeMeter service to trigger remote code execution with full system privileges, without authentication. This affects multiple versions: Festo Automation Suite up to 2.6.0.481, FluidDraw P6 up to 6.2k, FluidDraw 365 up to 7.0a, CIROS Studio/Education 6.0.0–6.4.6 and 7.0.0–7.1.7, FluidSIM 5 (all versions), FluidSIM 6 up to 6.1c, and MES-PC units shipped before December 2023.

What this means

What could happen

An attacker with network access to CodeMeter Runtime in server mode could execute arbitrary code and gain full administrative access on the host system, allowing them to modify process logic, alter equipment settings, or shut down industrial processes.

Who's at risk

Organizations using Festo industrial automation design and simulation tools should care: primarily engineering departments and control system integrators who use Festo Automation Suite, FluidDraw, FluidSIM, CIROS Studio, or MES-PC for PLC programming, hydraulic/pneumatic circuit design, and factory simulation. Affected equipment includes engineering workstations, simulation servers, and control system development environments.

How it could be exploited

An attacker sends a crafted network request to the CodeMeter Runtime service listening on the network. The vulnerability (CWE-787, out-of-bounds write) in the Runtime allows the attacker to inject code that executes with system privileges, bypassing all security controls on the affected Festo device.

Prerequisites

Network access to the host system running CodeMeter Runtime in server mode (typically port 22350)
CodeMeter Runtime version < 7.60c (embedded in affected Festo products)

remotely exploitableno authentication required for network accesslow complexity attackaffects design and control system environmentsno patch available for most products (Festo Automation Suite, FluidDraw, FluidSIM, CIROS Studio)

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (8)

3 with fix5 EOL

ProductAffected VersionsFix Status

Festo Automation Suite <= 2.6.0.481≤ 2.6.0.481No fix (EOL)

FluidDraw 365 <= 7.0a365 ≤ 7.0alatest version

CIROS Studio / Education 6.0.0 - 6.4.6≥ 6.0.0|≤ 6.4.6No fix (EOL)

CIROS Studio / Education 7.0.0 - 7.1.7≥ 7.0.0|≤ 7.1.7No fix (EOL)

FluidSIM 5 all versions5 allNo fix (EOL)

FluidSIM 6 <= 6.1c6 ≤ 6.1cNo fix (EOL)

FluidDraw P6 <= 6.2kP6 ≤ 6.2klatest version

MES-PC shipped before December 2023<shipped December 2023units shipped after December 2023

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGIsolate Festo automation systems from internet-accessible networks using firewalls

HARDENINGMove Festo engineering and design workstations onto a segregated network segment separated from the business network

HARDENINGIf remote access to Festo systems is required, route only through a VPN with strong authentication and keep the VPN client software updated

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CodeMeter Runtime to version 7.60c or later on all Festo Didactic CIROS Studio/Education, FluidSIM, and MES-PC systems

HOTFIXFor Festo Automation Suite, plan and schedule update to Summer 2024 release when available

HOTFIXUpdate FluidDraw P6 and FluidDraw 365 to the latest available versions

CVEs (1)

CVE-2023-3935

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bcc3d06a-88b8-41f1-941f-f0e26e8fd3af