CodeMeter < 7.10 Information Exfiltration Vulnerability
2020-09-21T00:00:00
ID CODEMETER_WEBADMIN_7_10.NASL Type nessus Reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2020-09-21T00:00:00
Description
According to its self-reported version, the CodeMeter WebAdmin server
installed on the remote host is prior to 7.10. It is
affected by a vulnerability where attacker could send a specially
crafted packet that could have the server send back packets
containing data from the heap.
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(140695);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/09/22");
script_cve_id("CVE-2020-16233");
script_name(english:"CodeMeter < 7.10 Information Exfiltration Vulnerability");
script_summary(english:"Checks the CodeMeter WebAdmin version.");
script_set_attribute(attribute:"synopsis", value:
"A web application on the remote host is affected by a privilege
escalation vulnerability.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version, the CodeMeter WebAdmin server
installed on the remote host is prior to 7.10. It is
affected by a vulnerability where attacker could send a specially
crafted packet that could have the server send back packets
containing data from the heap.");
script_set_attribute(attribute:"see_also", value:"https://www.wibu.com/support/user/downloads-user-software.html");
# https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-05.pdf
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2062e436");
# https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c85150b5");
script_set_attribute(attribute:"solution", value:
"Upgrade to CodeMeter 7.10 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-16233");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/09/04");
script_set_attribute(attribute:"patch_publication_date", value:"2020/09/04");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/09/21");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:wibu:codemeter_runtime");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("codemeter_webadmin_detect.nasl");
script_require_keys("installed_sw/CodeMeter");
script_require_ports("Services/www", 22350, 22352);
exit(0);
}
include('vcf.inc');
include('http.inc');
app = 'CodeMeter';
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:22350, embedded:TRUE);
app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);
constraints = [
{'fixed_version': '7.10'}
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
{"id": "CODEMETER_WEBADMIN_7_10.NASL", "bulletinFamily": "scanner", "title": "CodeMeter < 7.10 Information Exfiltration Vulnerability", "description": "According to its self-reported version, the CodeMeter WebAdmin server\ninstalled on the remote host is prior to 7.10. It is\naffected by a vulnerability where attacker could send a specially\ncrafted packet that could have the server send back packets\ncontaining data from the heap.", "published": "2020-09-21T00:00:00", "modified": "2020-09-21T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "https://www.tenable.com/plugins/nessus/140695", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://www.wibu.com/support/user/downloads-user-software.html", "http://www.nessus.org/u?2062e436", "http://www.nessus.org/u?c85150b5"], "cvelist": ["CVE-2020-16233"], "type": "nessus", "lastseen": "2020-09-23T13:22:54", "edition": 2, "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-16233"]}, {"type": "ics", "idList": ["ICSA-20-203-01"]}, {"type": "threatpost", "idList": ["THREATPOST:2599160F787BE161604E8BC2847A6643"]}], "modified": "2020-09-23T13:22:54", "rev": 2}, "score": {"value": 6.5, "vector": "NONE", "modified": "2020-09-23T13:22:54", "rev": 2}, "vulnersScore": 6.5}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140695);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/22\");\n\n script_cve_id(\"CVE-2020-16233\");\n\n script_name(english:\"CodeMeter < 7.10 Information Exfiltration Vulnerability\");\n script_summary(english:\"Checks the CodeMeter WebAdmin version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application on the remote host is affected by a privilege\nescalation vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the CodeMeter WebAdmin server\ninstalled on the remote host is prior to 7.10. It is\naffected by a vulnerability where attacker could send a specially\ncrafted packet that could have the server send back packets\ncontaining data from the heap.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.wibu.com/support/user/downloads-user-software.html\");\n # https://www.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-200521-05.pdf\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2062e436\");\n # https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c85150b5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to CodeMeter 7.10 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-16233\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wibu:codemeter_runtime\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"codemeter_webadmin_detect.nasl\");\n script_require_keys(\"installed_sw/CodeMeter\");\n script_require_ports(\"Services/www\", 22350, 22352);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\napp = 'CodeMeter';\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:22350, embedded:TRUE);\n\napp_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);\n\nconstraints = [\n {'fixed_version': '7.10'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "naslFamily": "CGI abuses", "pluginID": "140695", "cpe": ["cpe:/a:wibu:codemeter_runtime"], "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "scheme": null}
{"cve": [{"lastseen": "2020-12-09T22:03:09", "description": "An attacker could send a specially crafted packet that could have CodeMeter (All versions prior to 7.10) send back packets containing data from the heap.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-09-16T20:15:00", "title": "CVE-2020-16233", "type": "cve", "cwe": ["CWE-404"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16233"], "modified": "2020-09-18T16:11:00", "cpe": [], "id": "CVE-2020-16233", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16233", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}], "ics": [{"lastseen": "2020-12-18T03:21:39", "bulletinFamily": "info", "cvelist": ["CVE-2020-14513", "CVE-2020-14519", "CVE-2020-16233", "CVE-2020-14515", "CVE-2020-14517", "CVE-2020-14509"], "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 10.0**\n * **ATTENTION: **Exploitable remotely/low skill level to exploit\n * **Vendor:** Wibu-Systems AG\n * **Equipment:** CodeMeter\n * **Vulnerabilities: **Buffer Access with Incorrect Length Value, Inadequate Encryption Strength, Origin Validation Error, Improper Input Validation, Improper Verification of Cryptographic Signature, Improper Resource Shutdown or Release\n\n## 2\\. UPDATE INFORMATION\n\nThis updated advisory is a follow-up to the advisory update titled ICSA-20-203-01 Wibu-Systems CodeMeter (Update C) that was published October 15, 2020, to the ICS webpage on us-cert.gov.\n\n## 3\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow an attacker to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code execution, read heap data, and prevent normal operation of third-party software dependent on the CodeMeter.\n\n## 4\\. TECHNICAL DETAILS\n\n### 4.1 AFFECTED PRODUCTS\n\nThe following versions of CodeMeter Runtime, a license manager, are affected: \n\n * All versions prior to 7.10a are affected by CVE-2020-14509 and CVE-2020-14519\n * All versions prior to 7.10a are affected by CVE-2020-14517\n * All versions prior to 7.10 are affected by CVE-2020-16233\n * All versions prior to 6.81 are affected by CVE-2020-14513 \n * All versions prior to 6.90 are affected by CVE-2020-14515 when using CmActLicense update files with CmActLicense Firm Code\n\nThis license manager is used in products by many different vendors. As new instances are discovered/reported, they will be added to this list of affected products.\n\n### 4.2 VULNERABILITY OVERVIEW\n\n#### 4.2.1 [BUFFER ACCESS WITH INCORRECT LENGTH VALUE CWE-805](<https://cwe.mitre.org/data/definitions/805.html>)\n\nMultiple memory corruption vulnerabilities exist where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities.\n\n[CVE-2020-14509](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14509>) has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H>)).\n\n#### 4.2.2 [INADEQUATE ENCRYPTION STRENGTH CWE-326](<https://cwe.mitre.org/data/definitions/326.html>)\n\nProtocol encryption can be easily broken and the server accepts external connections, which may allow an attacker to remotely communicate with the CodeMeter API.\n\n[CVE-2020-14517](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14517>) has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H>)).\n\n#### 4.2.3 [ORIGIN VALIDATION ERROR CWE-346](<https://cwe.mitre.org/data/definitions/346.html>)\n\nThis vulnerability allows an attacker to use the internal WebSockets API via a specifically crafted Java Script payload, which may allow alteration or creation of license files when combined with CVE-2020-14515.\n\n[CVE-2020-14519](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14519>) has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H>)).\n\n#### 4.2.4 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nCodeMeter and the software using it may crash while processing a specifically crafted license file due to unverified length fields.\n\n[CVE-2020-14513](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14513>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H>)).\n\n#### 4.2.5 [IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347](<https://cwe.mitre.org/data/definitions/347.html>)\n\nThere is an issue in the license-file signature checking mechanism, which allows attackers to build arbitrary license files, including forging a valid license file as if it were a valid license file of an existing vendor. Only CmActLicense update files with CmActLicense Firm Code are affected.\n\n[CVE-2020-14515](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14515>) has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is ([AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H>)).\n\n#### 4.2.6 [IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404](<https://cwe.mitre.org/data/definitions/404.html>)\n\nAn attacker could send a specially crafted packet that could have the server send back packets containing data from the heap.\n\n[CVE-2020-16233](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16233>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N>)).\n\n### 4.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS: **Multiple\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Germany\n\n### 4.4 RESEARCHER\n\nSharon Brizinov and Tal Keren of Claroty reported these vulnerabilities to CISA.\n\n## 5\\. MITIGATIONS\n\nWibu-Systems recommends the following:\n\n * Update to the latest version of the CodeMeter Runtime.\n * Run CodeMeter only as client.\n * Utilize the new REST API instead of the internal WebSockets API.\n * Disable the WebSockets API.\n * Apply AxProtector.\n\nFor more information please see Wibu-Systems\u2019 security advisories:\n\n * Deutsch: <https://www.wibu.com/de/support/security-advisories.html>\n * English: <https://www.wibu.com/en/support/security-advisories.html>\n\nFor more information on products dependent on the affected CodeMeter see the following vendor security advisories:\n\n * ABB: [CodeMeter Vulnerabilities](<https://global.abb/group/en/technology/cyber-security/alerts-and-notifications>)\n * Bosch: [BOSCH-SA-231483](<https://psirt.bosch.com/security-advisories/bosch-sa-231483.html>)\n * CODESYS: [Security Advisory 2020-06](<https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=13245&token=12e702eb28edb2de082dc2f5e1375bea35c2fd1d&download=>)\n * COPA-DATA: [CD_SVA_2020_1](<https://www.copadata.com/fileadmin/user_upload/faq/files/CD_SVA_2020_1.pdf>)\n * Pepperl+Fuchs: [VDE-2020-034](<https://cert.vde.com/en-us/advisories/vde-2020-034>)\n * Phoenix Contact: [VDE-2020-030](<https://cert.vde.com/en-us/advisories/vde-2020-030>)\n * PILZ: [VDE-2020-033](<https://cert.vde.com/en-us/advisories/vde-2020-033>)\n * Rockwell: Knowledgebase Article ID [1127863](<https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1127863>) (Login Required)\n * Schneider Electric: [SEVD-2020-287-02](<https://www.se.com/ww/en/download/document/SEVD-2020-287-02/>)\n * Siemens: [SSA-455843](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n * WAGO: [VDE-2020-032](<https://cert.vde.com/en-us/advisories/vde-2020-032>)\n * WEIDMUELLER: [VDE-2020-041](<https://cert.vde.com/en-us/advisories/vde-2020-041>)\n\n**\\--------- Begin Update D Part 1 of 1 ---------**\n\n * Eaton: [ETN-SB-2020-1011](<https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/wibu-systems-ag-codemeter-vulnerabilities-eaton-security-bulletin.pdf>)\n * TRUMPF: [VDE-2020-039](<https://cert.vde.com/en-us/advisories/vde-2020-039>)\n\n**\\--------- End Update D Part 1 of 1 ---------**\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://www.us-cert.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://www.us-cert.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.gov](<https://www.us-cert.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.gov](<https://www.us-cert.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities. \n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://surveymonkey.com/r/G8STDRY?product=https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01>); we'd welcome your feedback.\n", "edition": 10, "modified": "2020-12-03T00:00:00", "published": "2020-12-03T00:00:00", "id": "ICSA-20-203-01", "href": "https://www.us-cert.gov//ics/advisories/icsa-20-203-01", "title": "Wibu-Systems CodeMeter (Update D)", "type": "ics", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2020-10-17T22:14:25", "bulletinFamily": "info", "cvelist": ["CVE-2020-14509", "CVE-2020-14513", "CVE-2020-14515", "CVE-2020-14517", "CVE-2020-14519", "CVE-2020-16233", "CVE-2020-24400", "CVE-2020-24407"], "description": "Six critical vulnerabilities have been discovered in a third-party software component powering various industrial systems. Remote, unauthenticated attackers can exploit the flaws to launch various malicious attacks \u2013 including deploying ransomware, and shutting down or even taking over critical systems.\n\nThe flaws exists in CodeMeter, owned by Wibu-Systems, which is a [software management component](<https://www.wibu.com/us/products/codemeter.html>) that\u2019s licensed by many of the top industrial control system (ICS) software vendors, including Rockwell Automation and Siemens. CodeMeter gives these companies tools to bolster security, help with licensing models, and protect against piracy or reverse-engineering.\n\nWibu-Systems made patches available for all of the flaws in version 7.10 of CodeMeter, on Aug. 11; however, the flaws were only recently disclosed by researchers on Tuesday. Many of the affected vendors have been notified and added \u2013 or are in the process of adding \u2013 fixes to their installers, said researchers with Claroty who discovered the glitches.\n\n[](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)\n\nClick to Register\n\n\u201cSuccessful exploitation of these vulnerabilities could allow an attacker to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code-execution, read heap data and prevent normal operation of third-party software dependent on the CodeMeter,\u201d according to a [Tuesday advisory](<https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01>) published by ICS-CERT.\n\nResearchers discovered a set of flaws in the CodeMeter WebSocket API ([CVE-2020-14519](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14519>)) enabling management of licenses via JavaScript. To exploit the flaws, an attacker would first have to phish or socially-engineer victims to lure them to a site they control.\n\nIn one attack scenario, an attacker could target a specific group of engineers looking for advice on a forum dedicated to programmable logic controllers (PLCs), by hosting the malicious payload on a phony or compromised forum. Once the target visits the attacker-controlled website, the threat actors are able to use JavaScript to inject a malicious license of their own onto the target\u2019s machine, researchers said.\n\n\u201cThese flaws can be exploited via phishing campaigns or directly by attackers who would be able to fingerprint user environments in order to modify existing software licenses or inject malicious ones, causing devices and processes to crash,\u201d according to Sharon Brizinov and Tal Keren, security researchers with Claroty, [in a Tuesday analysis](<https://www.claroty.com/2020/09/08/blog-research-wibu-codemeter-vulnerabilities/>). \u201cSerious encryption implementation issues, also discovered by Claroty, can be exploited to allow attackers to execute code remotely, and move laterally on [operational technology] (OT) networks.\u201d\n\nAnother severe flaw ([CVE-2020-14509](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14509>)) is a simple buffer-access error, in the packet parser mechanism used by CodeMeter, which does not verify length fields. This flaw has the highest CVSS v3 score possible (10 out of 10), making it critical.\n\n\u201cCVE-2020-14509 is a highly critical vulnerability that poses a great risk to products that are using the third-party component, CodeMeter,\u201d Brizinov told Threatpost. \u201cThe vulnerability is a heap buffer overflow memory-corruption flaw, and it could be exploited to gain remote code execution without any prior knowledge of the target machine. All an attacker will need to do is be able to communicate with the target machine via TCP port 22350.\u201d\n\nAnother serious bug ([CVE-2020-14517](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14517>)) was found in the CodeMeter encryption implementation. This flaw could be leveraged to attack the CodeMeter communication protocol and internal API, in order to remotely communicate with, and send commands to, any machine running CodeMeter, researchers said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/09/09102755/wibu-blog-image-1.png>)\n\nA breakdown of the CodeMeter WebSocket vulnerability (click to enlarge). Credit: Claroty\n\nThe remaining three flaws include an improper input-validation error ([CVE-2020-14513](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14513>)) that could force CodeMeter to shut down; an issue in the license-file signature-checking mechanism ([CVE-2020-14515](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14515>)) that allows attackers to build arbitrary license files; and an improper-resource shutdown or release vulnerability ([CVE-2020-16233](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16233>)).\n\n\u201cChaining these\u2026 bugs allows an attacker to sign their own licenses and then inject them remotely,\u201d said researchers. \u201cVulnerabilities related to input-validation errors (CVE-2020-14513) could also be exploited to cause industrial gear to crash and be unresponsive, leading to a denial-of-service condition.\u201d\n\nAccording to ICS-CERT, Wibu-Systems recommends that users update to the latest version of the CodeMeter Runtime (version 7.10). Affected vendors like [Rockwell](<https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3Danswers%2Fanswer_view%2Fa_id%2F1127863>) and [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>) have released their own security advisories, but researchers warn that, due to CodeMeter being integrated into many leading ICS products, users may be unaware this vulnerable third-party component is running in their environment.\n\n\u201cCodeMeter is a widely deployed third-party tool that is integrated into numerous products; organizations may not be aware their product has CodeMeter embedded, for example, or may not have a readily available update mechanism,\u201d warned researchers.\n\nBrizinov told Threatpost, researchers have not encountered any active campaigns using these exploits yet. Threatpost has reached out to Wibu-Systems for further comment.\n\nVulnerabilities in industrial gear has worried the security space due to the dire implications if a critical system is attacked. In July, the U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) [issued an alert](<https://threatpost.com/nsa-urgent-warning-industrial-cyberattacks-triconex/157723/>) warning that adversaries could be targeting critical infrastructure across the U.S.\n\nIn March, [security vulnerabilities](<https://threatpost.com/critical-bugs-in-rockwell-johnson-controls-ics-gear/153602/>) requiring very little skill to exploit were discovered in ICS devices from Rockwell Automation and Johnson Controls. And in July, researchers warned that [remote code-execution flaws](<https://threatpost.com/critical-bugs-utilities-vpns-physical-damage/157835/>) in virtual private network (VPN) products could impact the physical functioning of critical infrastructure in the oil and gas, water and electric utilities space.\n\n[**On Wed Sept. 16 @ 2 PM ET:**](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)** Learn the secrets to running a successful Bug Bounty Program. **[**Register today**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** for this FREE Threatpost webinar \u201c**[**Five Essentials for Running a Successful Bug Bounty Program**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)**\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this **[**LIVE**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** webinar.**\n", "modified": "2020-09-09T15:58:16", "published": "2020-09-09T15:58:16", "id": "THREATPOST:2599160F787BE161604E8BC2847A6643", "href": "https://threatpost.com/severe-industrial-bugs-takeover-critical-systems/159068/", "type": "threatpost", "title": "Critical Flaws in 3rd-Party Code Allow Takeover of Industrial Control Systems", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
