PHOENIX CONTACT: Products utilizing WIBU-SYSTEMS CodeMeter components
Act Now9.8VDE-2020-030Sep 9, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple critical vulnerabilities exist in WIBU-SYSTEMS CodeMeter components, with a CVSS score of 9.8 (CWE-404, CWE-805, CWE-346 - buffer overflow and memory corruption issues). These affect Phoenix Contact products including E-Mobility Charging Suite, FL Network Manager, IOL-CONF, PC Worx Engineer, and PLCnext Engineer EDU. The vulnerabilities are remotely exploitable through the CodeMeter Runtime WebSockets API without requiring authentication. WIBU-SYSTEMS released CodeMeter Runtime 7.10 to address these issues, and Phoenix Contact has released Activation Wizard 1.3.2 which bundles the patched CodeMeter Runtime and disables the WebSockets API by default.
What this means
What could happen
An attacker on the network can remotely execute code on engineering workstations and license servers running vulnerable CodeMeter components, potentially gaining full control of software configuration, license verification, and automation tool operations.
Who's at risk
Engineering teams and operators using Phoenix Contact automation tools on Windows workstations. Specifically affects organizations using EV Charging Suite (versions ≤1.7.3), FL Network Manager (≤4.20), IOL-CONF (1.7.0), PC Worx Engineer (≤2020.06), or PLCnext Engineer EDU (≤2020.06). Any organization running a CodeMeter Network License Server is also at risk.
How it could be exploited
An attacker can send a malicious network request to the CodeMeter Runtime WebSockets API (enabled by default on affected systems) without authentication, triggering a buffer overflow or memory corruption flaw that allows arbitrary code execution with the privileges of the CodeMeter Runtime process.
Prerequisites
- Network access to the CodeMeter Runtime WebSockets API port (default port 22350)
- CodeMeter Runtime must be running with WebSockets API enabled (default configuration)
- No authentication required
remotely exploitableno authentication requiredlow complexitycritical CVSS score (9.8)affects engineering automation toolsaffects license verification systems
Affected products (5)
5 EOL
ProductAffected VersionsFix Status
E-Mobility Charging Suite license codes for EV Charging Suite Setup <=1.7.3≤ 1.7.3No fix (EOL)
FL Network Manager <=4.20≤ 4.20No fix (EOL)
IOL-CONF 1.7.01.7.0No fix (EOL)
PC Worx Engineer <=2020.06≤ 2020.06No fix (EOL)
PLCnext Engineer EDU LIC <=2020.06≤ 2020.06No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3HOTFIXInstall Activation Wizard 1.3.2 or higher, which includes CodeMeter Runtime 7.10 and disables the WebSockets API by default
WORKAROUNDIf Activation Wizard cannot be deployed immediately, disable the CodeMeter Runtime WebSockets API in all affected products (E-Mobility Charging Suite, FL Network Manager, IOL-CONF, PC Worx Engineer, PLCnext Engineer EDU)
WORKAROUNDRestrict network access to CodeMeter Runtime communication ports (default 22350) to trusted engineering workstations and license servers only using firewall rules
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: E-Mobility Charging Suite license codes for EV Charging Suite Setup <=1.7.3, FL Network Manager <=4.20, IOL-CONF 1.7.0, PC Worx Engineer <=2020.06, PLCnext Engineer EDU LIC <=2020.06. Apply the following compensating controls:
HARDENINGConfigure CodeMeter Runtime to listen only on localhost (127.0.0.1) if network license sharing is not required
HARDENINGIf CodeMeter Runtime must operate as a Network License Server, isolate it in a secure network segment restricted from untrusted sources
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8fde5061-ec01-4573-b12c-93b733a9a094