WIBU Systems CodeMeter Runtime Vulnerabilities in Siemens Products

Act Now9.1SSA-675303Jul 13, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

WIBU Systems CodeMeter Runtime contains two vulnerabilities (CVE-2021-20093, CVE-2021-20094) in the network server component. These allow an unauthenticated attacker to read sensitive data from heap memory or crash the CodeMeter Runtime service via specially crafted network requests. CodeMeter Runtime is embedded in multiple Siemens products for license management. Successful exploitation could disrupt license validation and halt dependent SIMATIC applications.

What this means

What could happen

An attacker with network access to the CodeMeter Runtime server could read sensitive data from memory or crash the service, disrupting license validation and potentially halting applications that depend on SIEMENS HMI, historian, or simulation platforms.

Who's at risk

Siemens operators running SIMATIC HMI platforms (WinCC OA), historians (SIMATIC Process Historian), information servers, network security appliances (SINEC INS), and simulation systems (SIMIT) are affected. Organizations using PSS CAPE, SICAM 230, or older SIMATIC Process Historian versions with no available patches face elevated risk.

How it could be exploited

An attacker sends a specially crafted request to the CodeMeter Runtime network server (typically port 22350). The request exploits a vulnerability in the CodeMeter protocol to either leak heap memory containing sensitive data or trigger a denial-of-service crash. No authentication is required.

Prerequisites

Network connectivity to CodeMeter Runtime server port (typically 22350)
CodeMeter Runtime service running and exposed to the network

remotely exploitableno authentication requiredlow complexityaffects multiple control system applicationsno patch available for some productsheap information disclosuredenial of service capability

Exploitability

Moderate exploit probability (EPSS 8.2%)

Affected products (10)

6 with fix4 EOL

ProductAffected VersionsFix Status

SIMATIC PCS neo< V3.13.1

SIMATIC WinCC OA V3.17< V3.17 P0133.17 P013

SIMATIC WinCC OA V3.18< V3.18 P0023.18 P002

SIMIT Simulation Platform≥ V10.0 < V10.3 Upd 110.3 Upd1

SINEC INS< V1.0.1 Update 11.0.1 Update 1

SINEMA Remote Connect Server< V3.0 SP23.0 SP2

SICAM 230All versionsNo fix (EOL)

SIMATIC Information Server≥ 2019 SP1 < 2020 Upd1No fix (EOL)

Remediation & Mitigation

0/8

Do now

0/1

WORKAROUNDRestrict network access to CodeMeter Runtime server port (typically 22350) to trusted engineering networks only; implement firewall rules to block external access

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

SIMATIC PCS neo

HOTFIXUpdate SIMATIC PCS neo to version 3.1 or later

SIMATIC WinCC OA V3.17

HOTFIXUpdate SIMATIC WinCC OA V3.17 to patch level P013 or later

SIMATIC WinCC OA V3.18

HOTFIXUpdate SIMATIC WinCC OA V3.18 to patch level P002 or later

SIMIT Simulation Platform

HOTFIXUpdate SIMIT Simulation Platform to version 10.3 Update 1 or later

SINEC INS

HOTFIXUpdate SINEC INS to version 1.0.1 Update 1 or later

SINEMA Remote Connect Server

HOTFIXUpdate SINEMA Remote Connect Server to version 3.0 SP2 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: SICAM 230, SIMATIC Information Server, SIMATIC Process Historian (incl. Process Historian OPC UA Server), PSS(R)CAPE. Apply the following compensating controls:

HARDENINGSegment license management and CodeMeter Runtime services onto a dedicated, isolated network if possible to limit attack surface

CVEs (2)

CVE-2021-20093 CVE-2021-20094

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f40e137e-e133-4448-8ff0-343ff9216c81