Pilz: Multiple products prone to WIBU-SYSTEMS CodeMeter vulnerabilities

Plan PatchCVSS 9.8VDE-2020-033Sep 10, 2020

CODESYSPilz

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple Pilz software tools (CODESYS DevSys, PASvisu, PAS4000, PNOZsigma, SafetyEYE, Live Video Server) use WIBU-SYSTEMS CodeMeter Runtime for license management. CodeMeter Runtime versions below 6.90 contain multiple vulnerabilities in license file verification (CWE-346, CWE-347), input validation (CWE-20), and cryptographic handling (CWE-326) that allow attackers to forge license files, cause denial-of-service, or execute arbitrary code without authentication. Affected Pilz products can be patched to version 7.10, but CodeMeter Runtime itself has no patch planned if used as a standalone component.

What this means

What could happen

An attacker with network access could forge license files, disrupt operations by causing denial-of-service, or execute arbitrary code on devices running vulnerable CodeMeter Runtime versions. This affects all Pilz safety and process control tools that depend on CodeMeter for license management.

Who's at risk

Organizations operating Pilz safety systems and automation tools including CODESYS DevSys, PASvisu, PAS4000, PNOZsigma, SafetyEYE, and Live Video Server. Any facility using these products for industrial process control, safety management, or visual monitoring is affected.

How it could be exploited

An attacker with network connectivity to a device running vulnerable CodeMeter Runtime can send crafted requests to manipulate license validation. By exploiting weaknesses in license file verification (CWE-346, CWE-347) and insufficient input validation (CWE-20), the attacker could forge valid license files, trigger crashes, or inject code that executes with the Runtime's privileges.

Prerequisites

Network access to CodeMeter Runtime (default: listening on network interfaces)
No authentication required
Vulnerable CodeMeter Runtime version <6.90 installed on the target device

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (9.8)No patch available for CodeMeter Runtime standaloneAffects safety-critical systems

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (7)

6 with fix1 EOL

ProductAffected VersionsFix Status

Software CODESYS DevSys <=V3 3.5.12<6.907.10

Software Live Video Server <=1.1.0<6.907.10

Software PAS4000 <=1.21.1<6.907.10

Software CodeMeter Runtime <6.90<6.90No fix (EOL)

Software PASvisu <=1.9.0<6.907.10

Software PNOZsigma <=1.3.0<6.907.10

Software SafetyEYE 3.0.0<=3.0.1<6.907.10

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGEnsure CodeMeter Runtime is configured to run as Client only (verify default configuration is not overridden)

WORKAROUNDDeploy local firewall rules to restrict network access to CodeMeter Runtime services, allowing only trusted engineering workstations and administrative systems

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CodeMeter Runtime to version 7.10 or later from WIBU-SYSTEMS website

CVEs (6)

CVE-2020-12499 CVE-2020-14517 CVE-2020-16233 CVE-2020-14519 CVE-2020-14513 CVE-2020-14515

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5e38521b-d327-45b3-840f-1bf8ffe301aa

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.