WIBU Systems CodeMeter Heap Buffer Overflow Vulnerability in Industrial Products

Act Now9SSA-240541Sep 12, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

WIBU Systems CodeMeter Runtime contains a heap buffer overflow vulnerability (CVE-2023-3935) in its license management functionality. The vulnerability affects multiple Siemens industrial products including PSS automation software, SIMATIC WinCC OA supervisory control systems, SIMIT simulation platforms, SINEC network infrastructure products, and SINEMA remote connectivity tools. Unauthenticated remote attackers can exploit this by sending a specially crafted packet to CodeMeter.exe when configured as a server. Local authenticated users can also exploit it to gain administrative privileges. Several product versions have no patch available and remain vulnerable.

What this means

What could happen

A heap buffer overflow in CodeMeter Runtime (used for license management across multiple Siemens products) could allow an attacker to execute arbitrary code on engineering workstations or industrial computers, potentially taking control of process automation systems and altering setpoints or stopping operations.

Who's at risk

Engineering teams, process control operators, and PLCs in manufacturing plants using Siemens power system automation software (PSS products), WinCC OA SCADA systems, SIMIT simulation platforms, SINEC network infrastructure, or SINEMA remote access tools. Also affects Mitsubishi Electric industrial products that embed CodeMeter. Any facility with these systems is at risk if CodeMeter Runtime is network-reachable or if local users have access to affected workstations.

How it could be exploited

An unauthenticated attacker on the network can send a crafted packet to CodeMeter.exe when it is configured as a server (listening on the network). Alternatively, an authenticated local user with access to a machine running CodeMeter as a client could exploit the buffer overflow to escalate to administrative privileges and modify system settings or access other processes.

Prerequisites

Network access to CodeMeter Runtime listening port (when configured as server)
CodeMeter Runtime must be running on the target system
For local exploitation: authenticated user account on the workstation or PLC host

Remotely exploitable (when CodeMeter configured as server)No authentication required for remote exploitationHeap buffer overflow can lead to code executionMultiple affected industrial products with no fix available (PSS CAPE V14, PSS ODMS V13.0, SIMATIC PCS neo V3 and V4, SINEMA Remote Connect)High CVSS score (9.0)Affects control system software and engineering workstations

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (14)

9 with fix5 EOL

ProductAffected VersionsFix Status

PSS(R)CAPE V15<V15.0.2215.0.22

PSS(R)E V34<V34.9.634.9.6

PSS(R)E V35<V35.6.135.6.1

PSS(R)ODMS V13.1<V13.1.12.113.1.12.1

SIMATIC WinCC OA V3.17All versions < V3.17 P0303.17 P030

SIMATIC WinCC OA V3.18All versions < V3.18 P0213.18 P021

SIMATIC WinCC OA V3.19All versions < V3.19 P0063.19 P006

SIMIT Simulation Platform≥ V10.0<V11.211.2

Remediation & Mitigation

0/12

Do now

0/1

WORKAROUNDRestrict network access to CodeMeter Runtime listening ports using firewall rules on production systems until patches can be applied

Schedule — requires maintenance window

0/9

Patching may require device reboot — plan for process interruption

SIMATIC WinCC OA V3.17

HOTFIXUpdate SIMATIC WinCC OA V3.17 to patch level P030 or later

SIMATIC WinCC OA V3.18

HOTFIXUpdate SIMATIC WinCC OA V3.18 to patch level P021 or later

SIMATIC WinCC OA V3.19

HOTFIXUpdate SIMATIC WinCC OA V3.19 to patch level P006 or later

SIMIT Simulation Platform

HOTFIXUpdate SIMIT Simulation Platform to version 11.2 or later

SINEC INS

HOTFIXUpdate SINEC INS to version 1.0 SP2 Update 2 or later

All products

HOTFIXUpdate PSS CAPE V15 to version 15.0.22 or later

HOTFIXUpdate PSS E V34 to version 34.9.6 or later

HOTFIXUpdate PSS E V35 to version 35.6.1 or later

HOTFIXUpdate PSS ODMS V13.1 to version 13.1.12.1 or later

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: PSS(R)CAPE V14, PSS(R)ODMS V13.0, SIMATIC PCS neo V3, SINEMA Remote Connect, SIMATIC PCS neo V4.0. Apply the following compensating controls:

HARDENINGDisable CodeMeter server mode on engineering workstations if not required; configure as client-only

HARDENINGImplement network segmentation to isolate engineering workstations and PLCs running CodeMeter from untrusted networks

CVEs (1)

CVE-2023-3935

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close