OTPulse

FESTO Automation Suite, FluidDraw, and Festo Didactic Products

Plan PatchCVSS 9.8ICS-CERT ICSA-25-182-02Sep 19, 2023
CODESYSPhoenix ContactWAGOBeckhoffFestoPilzManufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A vulnerability exists in the Wibu CodeMeter Runtime library, which is embedded in several Festo industrial automation products including Festo Automation Suite, FluidDraw, FluidSIM, CIROS Studio/Education, and MES-PC. The vulnerability is an out-of-bounds write (CWE-787) in CodeMeter Runtime when operating in server mode. An attacker can send a specially crafted network request to the CodeMeter service to trigger remote code execution with full system privileges, without authentication. This affects multiple versions: Festo Automation Suite up to 2.6.0.481, FluidDraw P6 up to 6.2k, FluidDraw 365 up to 7.0a, CIROS Studio/Education 6.0.0–6.4.6 and 7.0.0–7.1.7, FluidSIM 5 (all versions), FluidSIM 6 up to 6.1c, and MES-PC units shipped before December 2023.

What this means
What could happen
An attacker with network access to CodeMeter Runtime in server mode could execute arbitrary code and gain full administrative access on the host system, allowing them to modify process logic, alter equipment settings, or shut down industrial processes.
Who's at risk
Organizations using Festo industrial automation design and simulation tools should care: primarily engineering departments and control system integrators who use Festo Automation Suite, FluidDraw, FluidSIM, CIROS Studio, or MES-PC for PLC programming, hydraulic/pneumatic circuit design, and factory simulation. Affected equipment includes engineering workstations, simulation servers, and control system development environments.
How it could be exploited
An attacker sends a crafted network request to the CodeMeter Runtime service listening on the network. The vulnerability (CWE-787, out-of-bounds write) in the Runtime allows the attacker to inject code that executes with system privileges, bypassing all security controls on the affected Festo device.
Prerequisites
  • Network access to the host system running CodeMeter Runtime in server mode (typically port 22350)
  • CodeMeter Runtime version < 7.60c (embedded in affected Festo products)
remotely exploitableno authentication required for network accesslow complexity attackaffects design and control system environmentsno patch available for most products (Festo Automation Suite, FluidDraw, FluidSIM, CIROS Studio)
Exploitability
Unlikely to be exploited — EPSS score 0.4%
Affected products (40)
14 with fix21 pending5 EOL
ProductAffected VersionsFix Status
Festo Automation Suite <= 2.6.0.481≤ 2.6.0.481No fix (EOL)
FluidDraw 365 <= 7.0a365 ≤ 7.0alatest version
CIROS Studio / Education 6.0.0 - 6.4.6≥ 6.0.0|≤ 6.4.6No fix (EOL)
CIROS Studio / Education 7.0.0 - 7.1.7≥ 7.0.0|≤ 7.1.7No fix (EOL)
FluidSIM 5 all versions5 allNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/3
HARDENINGIsolate Festo automation systems from internet-accessible networks using firewalls
HARDENINGMove Festo engineering and design workstations onto a segregated network segment separated from the business network
HARDENINGIf remote access to Festo systems is required, route only through a VPN with strong authentication and keep the VPN client software updated
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CodeMeter Runtime to version 7.60c or later on all Festo Didactic CIROS Studio/Education, FluidSIM, and MES-PC systems
HOTFIXFor Festo Automation Suite, plan and schedule update to Summer 2024 release when available
HOTFIXUpdate FluidDraw P6 and FluidDraw 365 to the latest available versions
View full CISA ICS-CERT advisory
API: /api/v1/advisories/bcc3d06a-88b8-41f1-941f-f0e26e8fd3af

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.