Multiple WIBU Systems CodeMeter Vulnerabilities Affecting the Desigo CC Product Family and SENTRON powermanager

Act Now9.1SSA-625850Nov 14, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in the WIBU Systems CodeMeter Runtime component embedded in Siemens Desigo CC (versions V5.0–V7, including Compact, Connect, and Cerberus DMS variants) and SENTRON powermanager (version 4.0 and later). These vulnerabilities allow remote attackers to execute arbitrary code on the server or cause denial of service without authentication or user interaction. Desigo CC V7 is affected only by CVE-2023-3935; versions V5.0, V5.1, and V6 are affected by all listed CodeMeter vulnerabilities. Siemens has released a patch to update the CodeMeter Runtime component.

What this means

What could happen

An attacker could remotely run arbitrary code on your Desigo CC building management or Sentron power management server without authentication, potentially altering building controls, HVAC setpoints, or power distribution settings, or cause the server to become unavailable.

Who's at risk

Building automation and power management operators should prioritize this: energy utilities using SENTRON powermanager for distribution system monitoring, and facilities managers or building operators running Desigo CC (including Desigo CC Compact, Connect, or Cerberus DMS variants) for HVAC, lighting, or integrated building controls. All versions V5.0 through V7 are affected.

How it could be exploited

An attacker on the network sends a malicious request to the Desigo CC or SENTRON powermanager server, targeting the vulnerable CodeMeter Runtime component. The vulnerability allows code execution or denial of service without requiring valid credentials or user interaction.

Prerequisites

Network access to the Desigo CC or SENTRON powermanager server
No authentication or valid credentials required
Server must be running an affected version of the CodeMeter Runtime component

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.1)affects critical building and power management infrastructureno patch available for all affected product versions

Exploitability

Moderate exploit probability (EPSS 8.2%)

Affected products (5)

1 with fix4 pending

ProductAffected VersionsFix Status

Desigo CC family V5.0All versionsNo fix yet

Desigo CC family V5.1All versionsNo fix yet

Desigo CC family V6All versionsNo fix yet

Desigo CC family V7All versionsNo fix yet

SENTRON powermanager≥ V4.0Available via patch

Remediation & Mitigation

0/3

Do now

0/1

SENTRON powermanager

WORKAROUNDRestrict network access to Desigo CC and SENTRON powermanager servers using firewall rules; limit connections to authorized engineering workstations and control systems only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

SENTRON powermanager

HOTFIXApply Siemens patch for CodeMeter Runtime component to all affected Desigo CC and SENTRON powermanager systems (available at https://support.industry.siemens.com/cs/ww/en/view/109825787/)

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate building management and power management systems from untrusted networks (guest networks, internet-facing systems)

CVEs (3)

CVE-2021-20093 CVE-2021-20094 CVE-2023-3935

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cb93b99c-2a8b-4a13-9412-dd16f0186b53