Phoenix Contact: WIBU-SYSTEMS CodeMeter Runtime vulnerabilities in multiple products

Act Now9.8VDE-2023-062Nov 21, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A heap-based buffer overflow in WIBU-SYSTEMS CodeMeter Runtime—a component used by multiple Phoenix Contact products—results from improper whitespace character handling in JavaScript and vulnerability in the bundled libcurl library. An attacker can exploit this over the network without credentials to execute arbitrary code. The vulnerability affects the CodeMeter licensing and security enforcement component integrated into E-Mobility Charging Suite, FL Network Manager, IOL Conf, MTP DESIGNER, PLCnext Engineer, and Activation Wizard. Most affected Phoenix Contact products have no vendor fix available; the fix exists only in CodeMeter Runtime v7.60d and the separately packaged Activation Wizard v1.7.

What this means

What could happen

A heap buffer overflow in CodeMeter Runtime could allow a remote attacker without credentials to execute arbitrary code on systems running affected Phoenix Contact products. This could result in complete compromise of the device, allowing attackers to alter process control logic or shut down operations.

Who's at risk

Manufacturing facilities using Phoenix Contact automation products are affected: E-Mobility Charging Suite, FL Network Manager, IOL Conf, MTP DESIGNER, PLCnext Engineer (engineering workstation software), and Activation Wizard. Most versions have no patch available and remain vulnerable.

How it could be exploited

An attacker on the network sends a malicious request that exploits improper whitespace handling in JavaScript within the CodeMeter Runtime component. The attacker does not need valid credentials or user interaction. The overflow in the underlying libcurl library allows code execution on the host system.

Prerequisites

Network access to the host running CodeMeter Runtime
CodeMeter Runtime configured to use SOCKS5 proxy (socks5h://) OR vulnerable to the JavaScript whitespace interpretation flaw
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackCritical CVSS score (9.8)Most affected products have no patch availableAffects PLCnext engineer platform used to program industrial controllers

Affected products (9)

2 with fix7 EOL

ProductAffected VersionsFix Status

Activation Wizard <=1.6≤ 1.61.7

Activation Wizard in MORYX Software Platform <=1.6≤ 1.61.7

E-Mobility Charging Suite <=1.7.0≤ 1.7.0No fix (EOL)

FL Network Manager <=7.0≤ 7.0No fix (EOL)

IOL Conf <=1.7.0≤ 1.7.0No fix (EOL)

MTP DESIGNER <=1.2.0. BETA≤ 1.2.0. BETANo fix (EOL)

MTP DESIGNER TRIAL <=1.2.0. BETA≤ 1.2.0. BETANo fix (EOL)

PLCnext Engineer <=2023.9≤ 2023.9No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/4

HOTFIXInstall CodeMeter Runtime version 7.60d or later directly from WIBU-SYSTEMS homepage

HOTFIXUpdate Activation Wizard to version 1.7 when available from Phoenix Contact

WORKAROUNDDisable SOCKS5 proxy usage: verify that HTTP_PROXY, HTTPS_PROXY, and ALL_PROXY environment variables are not set to socks5h://; on Windows check registry HKLM/SOFTWARE/WIBU-SYSTEMS/CodeMeter/Server/CurrentVersion, on Mac check /Library/Preferences/com.wibu.CodeMeter.Server.ini, on Linux check /etc/wibu/CodeMeter/Server.ini, on Solaris check /etc/opt/CodeMeter/Server.ini

HARDENINGRestrict network access to systems running CodeMeter Runtime to only trusted hosts and networks using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGIsolate systems running affected PLCnext Engineer versions on a network segment with limited exposure until a patch is available

CVEs (2)

CVE-2023-38545 CVE-2023-24540

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/304fc212-e47d-4609-88fb-59282cb40c9f