WAGO: WIBU-SYSTEMS CodeMeter Runtime vulnerabilities in multiple products
Act Now9.8VDE-2024-007Jan 22, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A heap-based buffer overflow vulnerability exists in WIBU-SYSTEMS CodeMeter Runtime (installed by default with WAGO e!COCKPIT and CODESYS 2.3 engineering software) caused by improper handling of libcurl and whitespace character interpretation in JavaScript. The vulnerability is triggered through SOCKS5 proxy configuration via environment variables or system configuration files. Affected products are all versions of WAGO e!COCKPIT and CODESYS 2.3 versions 2.3.9.45 through 2.3.9.70. Remote code execution is possible without authentication or user interaction.
What this means
What could happen
A heap overflow in CodeMeter Runtime (installed by default with WAGO engineering software) allows a remote attacker without credentials to execute arbitrary code on engineering workstations and the machines running WAGO e!COCKPIT or CODESYS 2.3 software. This could enable the attacker to modify PLC logic, process parameters, or disable control system functionality.
Who's at risk
Engineering and control system personnel who use WAGO e!COCKPIT or CODESYS 2.3 engineering workstations. This affects organizations running WAGO automation equipment that rely on these software bundles for configuration and programming of controllers, including water treatment, power distribution, and other industrial automation environments.
How it could be exploited
An attacker with network access to a machine running WAGO e!COCKPIT or CODESYS 2.3 engineering software can trigger a heap buffer overflow in CodeMeter Runtime by sending a specially crafted SOCKS5 proxy request via HTTP_PROXY, HTTPS_PROXY, or ALL_PROXY environment variables, or by configuring the ProxyServer registry/configuration file entry to use a malicious socks5h:// URL. This results in arbitrary code execution with the privileges of the CodeMeter process.
Prerequisites
- Network access to the port used by CodeMeter Runtime (typically port 22350 for licensing)
- Machine running WAGO e!COCKPIT or CODESYS 2.3 with WIBU-SYSTEMS CodeMeter Runtime installed
- HTTP_PROXY, HTTPS_PROXY, or ALL_PROXY environment variables set or ProxyServer registry/configuration value configured to use socks5h:// scheme
remotely exploitableno authentication requiredlow complexityhigh EPSS score (>10%)no patch available for affected product versionsdefault installation of vulnerable componentaffects engineering workstations and development environments
Affected products (2)
1 pending1 EOL
ProductAffected VersionsFix Status
-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.45 <= 2.3.9.702.3.9.45≤ 2.3.9.70No fix yet
All WAGO e!COCKPIT engineering software installation bundlesAll versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/5WORKAROUNDVerify that HTTP_PROXY, HTTPS_PROXY, and ALL_PROXY environment variables are not set to socks5h:// schemes; if they are configured, change them to use http:// or https:// only
WORKAROUNDOn Windows, check the registry at HKLM/SOFTWARE/WIBU-SYSTEMS/CodeMeter/Server/CurrentVersion and verify the ProxyServer value does not start with socks5h://; if it does, remove or modify it
WORKAROUNDOn Mac, check /Library/Preferences/com.wibu.CodeMeter.Server.ini and verify the ProxyServer entry does not start with socks5h://; if it does, remove or modify it
WORKAROUNDOn Linux, check /etc/wibu/CodeMeter/Server.ini and verify the ProxyServer entry does not start with socks5h://; if it does, remove or modify it
WORKAROUNDOn Solaris, check /etc/opt/CodeMeter/Server.ini and verify the ProxyServer entry does not start with socks5h://; if it does, remove or modify it
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.45 <= 2.3.9.70
HOTFIXInstall the latest standalone WIBU-SYSTEMS CodeMeter version available from the vendor as a temporary measure until e!COCKPIT and CODESYS 2.3 receive patched bundles
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/bcbbd784-239a-4d69-ad1a-53f558743267