PHOENIX CONTACT: Products utilizing WIBU-SYSTEMS CodeMeter components

Plan PatchCVSS 9.8VDE-2020-030Sep 9, 2020

Phoenix ContactManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple critical vulnerabilities exist in WIBU-SYSTEMS CodeMeter components, with a CVSS score of 9.8 (CWE-404, CWE-805, CWE-346 - buffer overflow and memory corruption issues). These affect Phoenix Contact products including E-Mobility Charging Suite, FL Network Manager, IOL-CONF, PC Worx Engineer, and PLCnext Engineer EDU. The vulnerabilities are remotely exploitable through the CodeMeter Runtime WebSockets API without requiring authentication. WIBU-SYSTEMS released CodeMeter Runtime 7.10 to address these issues, and Phoenix Contact has released Activation Wizard 1.3.2 which bundles the patched CodeMeter Runtime and disables the WebSockets API by default.

What this means

What could happen

An attacker on the network can remotely execute code on engineering workstations and license servers running vulnerable CodeMeter components, potentially gaining full control of software configuration, license verification, and automation tool operations.

Who's at risk

Engineering teams and operators using Phoenix Contact automation tools on Windows workstations. Specifically affects organizations using EV Charging Suite (versions ≤1.7.3), FL Network Manager (≤4.20), IOL-CONF (1.7.0), PC Worx Engineer (≤2020.06), or PLCnext Engineer EDU (≤2020.06). Any organization running a CodeMeter Network License Server is also at risk.

How it could be exploited

An attacker can send a malicious network request to the CodeMeter Runtime WebSockets API (enabled by default on affected systems) without authentication, triggering a buffer overflow or memory corruption flaw that allows arbitrary code execution with the privileges of the CodeMeter Runtime process.

Prerequisites

Network access to the CodeMeter Runtime WebSockets API port (default port 22350)
CodeMeter Runtime must be running with WebSockets API enabled (default configuration)
No authentication required

remotely exploitableno authentication requiredlow complexitycritical CVSS score (9.8)affects engineering automation toolsaffects license verification systems

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (5)

5 EOL

ProductAffected VersionsFix Status

E-Mobility Charging Suite license codes for EV Charging Suite Setup <=1.7.3≤ 1.7.3No fix (EOL)

FL Network Manager <=4.20≤ 4.20No fix (EOL)

IOL-CONF 1.7.01.7.0No fix (EOL)

PC Worx Engineer <=2020.06≤ 2020.06No fix (EOL)

PLCnext Engineer EDU LIC <=2020.06≤ 2020.06No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HOTFIXInstall Activation Wizard 1.3.2 or higher, which includes CodeMeter Runtime 7.10 and disables the WebSockets API by default

WORKAROUNDIf Activation Wizard cannot be deployed immediately, disable the CodeMeter Runtime WebSockets API in all affected products (E-Mobility Charging Suite, FL Network Manager, IOL-CONF, PC Worx Engineer, PLCnext Engineer EDU)

WORKAROUNDRestrict network access to CodeMeter Runtime communication ports (default 22350) to trusted engineering workstations and license servers only using firewall rules

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: E-Mobility Charging Suite license codes for EV Charging Suite Setup <=1.7.3, FL Network Manager <=4.20, IOL-CONF 1.7.0, PC Worx Engineer <=2020.06, PLCnext Engineer EDU LIC <=2020.06. Apply the following compensating controls:

HARDENINGConfigure CodeMeter Runtime to listen only on localhost (127.0.0.1) if network license sharing is not required

HARDENINGIf CodeMeter Runtime must operate as a Network License Server, isolate it in a secure network segment restricted from untrusted sources

CVEs (3)

CVE-2020-16233 CVE-2020-14509 CVE-2020-14519

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8fde5061-ec01-4573-b12c-93b733a9a094

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.