WIBU Systems CodeMeter Runtime Vulnerabilities in Siemens Products

Act Now10SSA-455843Sep 8, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Six vulnerabilities (CVE-2020-14509, CVE-2020-14513, CVE-2020-14515, CVE-2020-14517, CVE-2020-14519, CVE-2020-16233) in CodeMeter Runtime, a license management component embedded in Siemens products, allow attackers to forge license files, cause denial of service, achieve remote code execution, or prevent normal operation of affected software. The vulnerabilities stem from improper input validation (CWE-20), insufficient cryptographic strength (CWE-326), weak signature verification (CWE-347), missing authentication (CWE-346), and buffer overflows (CWE-805).

What this means

What could happen

An attacker could forge or alter license files, disable critical Siemens software through denial of service, or execute arbitrary code on systems running affected versions. In a water authority or utility, this could disrupt SCADA systems, historian functions, or remote access tools used to monitor and control plant operations.

Who's at risk

Water and power utilities using Siemens SCADA and monitoring software are affected. Specific concern: organizations running PSS CAPE (older protection relay simulators), SICAM 230 (substation automation), SIMATIC WinCC OA (visualization/HMI), SIMATIC Process Historian (data logging and compliance), SIMATIC Information Server, SINEMA Remote Connect (remote access for engineering), and SIMIT (training/simulation). Any facility with these products embedded in historian, remote access, or control system engineering workstations is at risk.

How it could be exploited

An attacker with network access to a host running an affected Siemens product could send crafted requests to the CodeMeter Runtime license management service without valid credentials, exploiting weak signature verification or missing input validation to forge a license file or trigger a buffer overflow. Depending on the vulnerability, this could result in code execution with the privileges of the affected software process, or denial of service that prevents the application from running.

Prerequisites

Network access to TCP/IP port or interface where CodeMeter Runtime is listening
No authentication credentials required
Affected product version must be installed and CodeMeter Runtime actively used for license management

remotely exploitableno authentication requiredlow complexity attackhigh CVSS score (10)affects critical infrastructure softwareaffects safety and control systemsno patch available for multiple products

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (9)

7 with fix2 EOL

ProductAffected VersionsFix Status

SIMATIC PCS neo< V3.0 SP1 Update 13.0 SP1 Update 1

SIMATIC WinCC OA< V3.17 P0073.17 P007

SIMIT Simulation Platform≥ V10.0 and < V10.2 Upd110.2 Upd1

SINEC INS< V1.0 SP11.0 SP1

SINEMA Remote Connect< V3.03.0

PSS CAPE Protection Simulation PlatformCAPE 14 installations installed from material dated earlier than 2020-09-15No fix (EOL)

SICAM 230All versionsNo fix (EOL)

SIMATIC Information Server 2019Version 2019 SP12019 SP1 Update 1

Remediation & Mitigation

0/9

Do now

0/4

SICAM 230

HARDENINGFor SICAM 230: No vendor fix is available; implement network segmentation to restrict access to the device to only authorized engineering workstations and control systems

SIMATIC Information Server 2019

HARDENINGFor SIMATIC Information Server 2019 SP1: No fix available; restrict network access to the server and implement firewall rules to allow only trusted hosts

All products

HARDENINGFor PSS CAPE 14 installations: Replace with material dated 2020-09-15 or later, or isolate from network access until replacement is available

HARDENINGFor SIMATIC Process Historian 2019: No fix available; update to PCS neo V3.0 SP1 Update 1 if feasible, otherwise isolate from untrusted networks

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

SIMATIC PCS neo

HOTFIXUpdate SIMATIC PCS neo to version 3.0 SP1 Update 1 or later

SIMATIC WinCC OA

HOTFIXUpdate SIMATIC WinCC OA to version 3.17 P007 or later

SIMIT Simulation Platform

HOTFIXUpdate SIMIT Simulation Platform to version 10.2 Upd1 or later

SINEC INS

HOTFIXUpdate SINEC INS to version 1.0 SP1 or later

SINEMA Remote Connect

HOTFIXUpdate SINEMA Remote Connect to version 3.0 or later

CVEs (6)

CVE-2020-14515 CVE-2020-14509 CVE-2020-14513 CVE-2020-14517 CVE-2020-14519 CVE-2020-16233

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ae88a1ae-294b-449b-bc54-e75f8dc43393