Wibu-Systems CodeMeter Vulnerabilities

Act Now10SEVD-2020-287-02Oct 13, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Wibu-Systems CodeMeter licensing manager contains multiple critical vulnerabilities that affect Schneider Electric and Eurotherm products including EcoStruxure Machine Expert, EcoStruxure Machine SCADA Expert, and E+PLC series controllers. These vulnerabilities allow attackers to alter and forge license files, cause denial-of-service, achieve remote code execution, read heap data, and prevent normal operation of software dependent on CodeMeter licensing. All versions of affected Schneider products are vulnerable with no patches available as of December 2020.

What this means

What could happen

An attacker could forge licenses to enable unauthorized use of control software, execute commands on engineering workstations and SCADA servers, or disable the software entirely, disrupting monitoring and control of industrial processes. Loss of SCADA visibility or control capability could force manual operation or plant shutdown.

Who's at risk

Energy and manufacturing companies using Schneider Electric EcoStruxure Machine Expert (formerly SoMachine), EcoStruxure Machine SCADA Expert, or E+PLC series PLCs for process control. This affects engineering workstations where software licenses are managed, SCADA servers, and PLC configuration systems.

How it could be exploited

An attacker on the network can send malformed requests to the CodeMeter license manager service running on engineering workstations or SCADA servers, exploiting the vulnerability to forge valid licenses, trigger remote code execution, or leak sensitive data from memory. No user interaction or credentials are required.

Prerequisites

Network access to the CodeMeter service port on engineering workstations, SCADA servers, or PLC setup machines
CodeMeter licensing manager installed and running on the target system

Remotely exploitableNo authentication requiredLow complexity attackRemote code execution capabilityNo patch availableHigh-impact licensing and SCADA software affected

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (5)

1 with fix4 EOL

ProductAffected VersionsFix Status

E+PLC400 All versionsAll versionsNo fix (EOL)

E+PLC100 All versionsAll versionsNo fix (EOL)

E+PLC_Setup All versionsAll versionsNo fix (EOL)

EcoStruxure Machine SCADA Expert All versionsAll versionsCodeMeter 7.10a

EcoStruxure Machine Expert (formerly known as SoMachine and SoMachine Motion) All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDRestrict network access to CodeMeter services using firewall rules; block CodeMeter service ports from the business network and internet

HARDENINGNever connect engineering workstations (EcoStruxure Machine Expert, SCADA Expert) to networks other than the isolated control network

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HARDENINGIsolate control and SCADA networks behind firewalls, separate from the business network

HARDENINGPrevent unauthorized physical access to programming workstations and PLC setup machines; lock cabinets and set controllers to non-Program mode

WORKAROUNDScan all USB drives, CDs, and external media for malware before connecting to isolated control networks

HOTFIXMonitor for and upgrade CodeMeter to the latest version when Schneider Electric releases a patch for affected products

CVEs (6)

CVE-2020-14509 CVE-2020-14513 CVE-2020-14515 CVE-2020-14517 CVE-2020-14519 CVE-2020-16233

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ea81d28d-1a8c-4170-a048-469d87dd12c0