WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro

Plan PatchCVSS 7.1VDE-2022-002Jan 31, 2022

CODESYSWAGO

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A vulnerability exists in the WIBU-SYSTEMS CodeMeter licensing component, which is installed by default as part of WAGO e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) engineering software. The vulnerability allows a local user to write files or perform operations outside intended boundaries, potentially compromising the integrity of engineering workstations. e!COCKPIT versions prior to 1.11 are affected; all versions of WAGO-I/O-Pro CODESYS 2.3 (including 2.3.9.46, 2.3.9.47, 2.3.9.49, 2.3.9.53, 2.3.9.55, 2.3.9.61, and 2.3.9.66) are affected with no patch planned by the vendor.

What this means

What could happen

A local attacker with user-level access could exploit a flaw in the bundled CodeMeter licensing component to modify files or disable system processes, potentially disrupting engineering workstations and blocking access to controlled devices.

Who's at risk

Engineering staff and system integrators who use WAGO e!COCKPIT or WAGO-I/O-Pro (CODESYS 2.3) to program and configure WAGO PLCs, I/O terminals, and remote I/O devices. This affects any water utility or municipal electric utility that uses WAGO-based automation systems for process control or telemetry.

How it could be exploited

An attacker with local access to a workstation running e!COCKPIT or WAGO-I/O-Pro would exploit a vulnerability in the CodeMeter component (installed by default) to write files or execute operations with higher privileges, potentially affecting the integrity of engineering tools or the ability to program PLCs and I/O controllers.

Prerequisites

Local access to engineering workstation running affected e!COCKPIT or WAGO-I/O-Pro installation
User-level privileges (no admin required)

Local access required but no authentication neededLow complexity exploitationAffects engineering workstationsAll CODESYS 2.3 versions have no fix planned

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (8)

1 with fix7 pending

ProductAffected VersionsFix Status

e!COCKPIT engineering software installation bundle <V1.11<V1.11V1.11

-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.532.3.9.53No fix yet

-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.552.3.9.55No fix yet

-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.612.3.9.61No fix yet

-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.662.3.9.66No fix yet

-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.462.3.9.46No fix yet

-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.492.3.9.49No fix yet

-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.472.3.9.47No fix yet

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDDisable the 'Mass Storage' container type in CodeMeter via Windows Registry as a temporary workaround

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.53

HOTFIXUpdate WAGO-I/O-Pro (CODESYS 2.3) to version 2.3.9.68 or later when available in Q1 2022

All products

HOTFIXUpdate e!COCKPIT to version 1.11 or later, or apply the security patch for e!COCKPIT 1.10 when available

HOTFIXImmediately install the latest standalone WIBU-SYSTEMS CodeMeter version on all engineering workstations

Long-term hardening

0/1

HARDENINGRestrict physical and remote access to engineering workstations to authorized personnel only

CVEs (1)

CVE-2021-41057

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3ae62841-f97a-436c-abb8-74b38bf55a73

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.