WIBU Systems CodeMeter Runtime Denial-of-Service Vulnerability in Siemens Products

Plan PatchCVSS 7.1SSA-580693Nov 9, 2021

SiemensMitsubishi Electric

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in WIBU Systems CodeMeter Runtime (CVE-2021-41057), used for license management in several Siemens industrial software products, allows a local attacker with low privilege user access to crash the CodeMeter.exe service. Successful exploitation causes a denial-of-service condition that makes the dependent Siemens application unavailable until the service is manually restarted. The vulnerability affects SCADA planning, power system analysis, process control, and historical data management software from Siemens.

What this means

What could happen

A local attacker with low privileges could crash the CodeMeter license server, causing the affected Siemens SCADA software (PSS E, ODMS, WinCC OA, Process Historian, etc.) to stop functioning until the service is restarted, disrupting power system monitoring, control, or simulation operations.

Who's at risk

Power system engineers and operators using Siemens SCADA and control software: PSS E (power system planning), PSS ODMS (outage management), SIMATIC WinCC OA (visualization and automation), SIMATIC Process Historian (data archival), and SIMATIC PCS neo (process control). Also affects Siemens CAPE power system design software and SIMIT simulation platform. Risk is highest for systems where local user access is not tightly controlled.

How it could be exploited

An attacker with local user privileges on a workstation or engineering station running one of the affected Siemens products could send a specially crafted request to the CodeMeter Runtime Server process (CodeMeter.exe). This causes the license server to crash and makes the dependent SCADA application unavailable for operation.

Prerequisites

Local user access to the system running the affected Siemens product
CodeMeter Runtime process running as part of the Siemens software (automatic)
Low privilege user account (no admin rights needed)

Locally exploitable (requires local user account)Low complexity exploitNo authentication complexity (uses existing user privilege)Affects SCADA and control software availabilityTwo Siemens products (CAPE 14, SICAM 230) have no patch available

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (11)

9 with fix1 pending1 EOL

ProductAffected VersionsFix Status

PSS(R)CAPECAPE 14 installations installed from material dated earlier than 2021-10-05No fix yet

PSS(R)E V34< V34.9.134.9.1

PSS(R)E V35< V35.3.235.3.2

PSS(R)ODMS V12< V12.2.6.112.2.6.1

SIMATIC Information Server≥ 2019 SP1 and < 2020 Update 22020 Update 2

SIMATIC PCS neo< V3.1 Upd13.1 Upd 1

SIMATIC Process Historian (incl. Process Historian OPC UA Server)≥ 2019 and < 2020 Update 22020 Update 2

SIMATIC WinCC OA V3.17< V3.17 P0153.17 P015

Remediation & Mitigation

0/11

Schedule — requires maintenance window

0/10

Patching may require device reboot — plan for process interruption

Mitigations - no patch available

0/1

SICAM 230 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGFor systems unable to upgrade: restrict local user access to engineering stations and workstations running affected products to trusted personnel only, and monitor for unexpected crashes of CodeMeter.exe process

CVEs (1)

CVE-2021-41057

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f1e2eee1-2c76-496b-971e-dfad0d3a10da

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.