WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro
Plan Patch7.1VDE-2022-002Jan 31, 2022
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
A vulnerability exists in the WIBU-SYSTEMS CodeMeter licensing component, which is installed by default as part of WAGO e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) engineering software. The vulnerability allows a local user to write files or perform operations outside intended boundaries, potentially compromising the integrity of engineering workstations. e!COCKPIT versions prior to 1.11 are affected; all versions of WAGO-I/O-Pro CODESYS 2.3 (including 2.3.9.46, 2.3.9.47, 2.3.9.49, 2.3.9.53, 2.3.9.55, 2.3.9.61, and 2.3.9.66) are affected with no patch planned by the vendor.
What this means
What could happen
A local attacker with user-level access could exploit a flaw in the bundled CodeMeter licensing component to modify files or disable system processes, potentially disrupting engineering workstations and blocking access to controlled devices.
Who's at risk
Engineering staff and system integrators who use WAGO e!COCKPIT or WAGO-I/O-Pro (CODESYS 2.3) to program and configure WAGO PLCs, I/O terminals, and remote I/O devices. This affects any water utility or municipal electric utility that uses WAGO-based automation systems for process control or telemetry.
How it could be exploited
An attacker with local access to a workstation running e!COCKPIT or WAGO-I/O-Pro would exploit a vulnerability in the CodeMeter component (installed by default) to write files or execute operations with higher privileges, potentially affecting the integrity of engineering tools or the ability to program PLCs and I/O controllers.
Prerequisites
- Local access to engineering workstation running affected e!COCKPIT or WAGO-I/O-Pro installation
- User-level privileges (no admin required)
Local access required but no authentication neededLow complexity exploitationAffects engineering workstationsAll CODESYS 2.3 versions have no fix planned
Affected products (8)
1 with fix7 pending
ProductAffected VersionsFix Status
e!COCKPIT engineering software installation bundle <V1.11<V1.11V1.11
-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.532.3.9.53No fix yet
-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.552.3.9.55No fix yet
-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.612.3.9.61No fix yet
-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.662.3.9.66No fix yet
-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.462.3.9.46No fix yet
-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.492.3.9.49No fix yet
-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.472.3.9.47No fix yet
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDDisable the 'Mass Storage' container type in CodeMeter via Windows Registry as a temporary workaround
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.53
HOTFIXUpdate WAGO-I/O-Pro (CODESYS 2.3) to version 2.3.9.68 or later when available in Q1 2022
All products
HOTFIXUpdate e!COCKPIT to version 1.11 or later, or apply the security patch for e!COCKPIT 1.10 when available
HOTFIXImmediately install the latest standalone WIBU-SYSTEMS CodeMeter version on all engineering workstations
Long-term hardening
0/1HARDENINGRestrict physical and remote access to engineering workstations to authorized personnel only
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/3ae62841-f97a-436c-abb8-74b38bf55a73