ADVISORY2025-01_VDE-2025-001

Vulnerability from csaf_codesysgmbh - Published: 2025-01-21 11:00 - Updated: 2025-06-05 13:31
Summary
CODESYS Key physical side-channel vulnerability
Notes
Summary: The CODESYS Key USB dongle, which is based on WIBU CodeMeter technology, is affected by a physical side-channel vulnerability.
Impact: The CODESYS Key is a USB dongle for secure storage of your CODESYS software licenses based on WIBU CodeMeter technology. The manufacturer WIBU-SYSTEMS AG has reported a physical side-channel vulnerability in a cryptographic library from Infineon Technologies that is part of the WIBU CmDongle firmware and thus also in the affected CODESYS Keys. The exploitation of this vulnerability has been classified as complex. Potential attackers need physical access to the CODESYS Key and special equipment to exploit the vulnerability. For more details see the WIBU-SYSTEMS AG Security Advisory WIBU-100094 on https://www.wibu.com/support/security-advisories.html. In addition to licensing, the CODESYS Key can also be used for secure storage of secret data. The identified CVSS is the highest rating that can occur in combination with the various applications in the CODESYS software. If the CODESYS key is also used with applications from other vendors, the rating may differ. In this case, the respective vendor and/or the WIBU-SYSTEMS AG security advisory should be consulted.
Remediation: Update the CODESYS Key firmware to version 4.52. Updating the firmware also protects the future usage of additional CODESYS Key features by the CODESYS software and general usage by other software. The update can be installed, for example, via the CodeMeter Control Center.
Mitigation: Regardless of the vulnerability described here, CODESYS GmbH recommends that physical access to the CODESYS Key should only be granted to authorized persons. Especially in the case of productive control systems, removal of the CODESYS Key can affect the controlled machine or process. This generally recommended restriction of access also reduces the attack surface for this vulnerability, as its exploitation requires physical access.
General Recommendation: As part of a security strategy, CODESYS GmbH strongly recommends at least the following best-practice defense measures: * Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside * Use firewalls to protect and separate the control system network from other networks * Activate and apply user management and password features * Limit the access to both development and control system by physical means, operating system features, etc. * Use encrypted communication links * Use VPN (Virtual Private Networks) tunnels if remote access is required * Protect both development and control system by using up to date virus detecting solutions For more information and general recommendations for protecting machines and plants, see also the CODESYS Security Whitepaper [here.](https://customers.codesys.com/fileadmin/data/customers/security/CODESYS-Security-Whitepaper.pdf)
Disclaimer: CODESYS GmbH assumes no liability whatsoever for indirect, collateral, accidental or consequential losses that occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided on good faith by CODESYS GmbH. Insofar as permissible by law, however, none of this information shall establish any guarantee, commitment or liability on the part of CODESYS GmbH. Note: Not all CODESYS features are available in all territories. For more information on geographic restrictions, please contact sales@codesys.com.
CVE-2024-45678

Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue. Other uses of an Infineon cryptographic library may also be affected.

4.9 (Medium)
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
CWE-203 - Observable Discrepancy
Vendor Fix Update the CODESYS Key firmware to version 4.52. Updating the firmware also protects the future usage of additional CODESYS Key features by the CODESYS software and general usage by other software. The update can be installed, for example, via the CodeMeter Control Center.
Mitigation Regardless of the vulnerability described here, CODESYS GmbH recommends that physical access to the CODESYS Key should only be granted to authorized persons. Especially in the case of productive control systems, removal of the CODESYS Key can affect the controlled machine or process. This generally recommended restriction of access also reduces the attack surface for this vulnerability, as its exploitation requires physical access.
References
Acknowledgments
CERT@VDE certvde.com
NinjaLabs
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "organization": "NinjaLabs",
        "summary": "reporting"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "The CODESYS Key USB dongle, which is based on WIBU CodeMeter technology, is affected by a physical side-channel vulnerability. ",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "The CODESYS Key is a USB dongle for secure storage of your CODESYS software licenses based on WIBU CodeMeter technology. The manufacturer WIBU-SYSTEMS AG has reported a physical side-channel vulnerability in a cryptographic library from Infineon Technologies that is part of the WIBU CmDongle firmware and thus also in the affected CODESYS Keys.\n\nThe exploitation of this vulnerability has been classified as complex. Potential attackers need physical access to the CODESYS Key and special equipment to exploit the vulnerability.\n\nFor more details see the WIBU-SYSTEMS AG Security Advisory WIBU-100094 on https://www.wibu.com/support/security-advisories.html.\n\nIn addition to licensing, the CODESYS Key can also be used for secure storage of secret data. The identified CVSS is the highest rating that can occur in combination with the various applications in the CODESYS software. If the CODESYS key is also used with applications from other vendors, the rating may differ. In this case, the respective vendor and/or the WIBU-SYSTEMS AG security advisory should be consulted. ",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Update the CODESYS Key firmware to version 4.52.\n\nUpdating the firmware also protects the future usage of additional CODESYS Key features by the CODESYS software and general usage by other software. The update can be installed, for example, via the CodeMeter Control Center. ",
        "title": "Remediation"
      },
      {
        "category": "description",
        "text": "Regardless of the vulnerability described here, CODESYS GmbH recommends that physical access to the CODESYS Key should only be granted to authorized persons. Especially in the case of productive control systems, removal of the CODESYS Key can affect the controlled machine or process.\n\nThis generally recommended restriction of access also reduces the attack surface for this vulnerability, as its exploitation requires physical access. ",
        "title": "Mitigation"
      },
      {
        "category": "general",
        "text": "As part of a security strategy, CODESYS GmbH strongly recommends at least the following best-practice\ndefense measures:\n\n* Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside\n* Use firewalls to protect and separate the control system network from other networks\n* Activate and apply user management and password features\n* Limit the access to both development and control system by physical means, operating system features, etc.\n* Use encrypted communication links\n* Use VPN (Virtual Private Networks) tunnels if remote access is required\n* Protect both development and control system by using up to date virus detecting solutions\n\nFor more information and general recommendations for protecting machines and plants, see also the\nCODESYS Security Whitepaper [here.](https://customers.codesys.com/fileadmin/data/customers/security/CODESYS-Security-Whitepaper.pdf)\n",
        "title": "General Recommendation"
      },
      {
        "category": "legal_disclaimer",
        "text": "CODESYS GmbH assumes no liability whatsoever for indirect, collateral, accidental or consequential losses\nthat occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided on good faith by CODESYS GmbH.\nInsofar as permissible by law, however, none of this information shall establish any guarantee, commitment or\nliability on the part of CODESYS GmbH.\n\nNote: Not all CODESYS features are available in all territories. For more information on geographic restrictions,\nplease contact sales@codesys.com.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "security@codesys.com",
      "name": "CODESYS GmbH",
      "namespace": "https://www.codesys.com"
    },
    "references": [
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for CODESYS GmbH",
        "url": "https://certvde.com/en/advisories/vendor/codesys"
      },
      {
        "category": "self",
        "summary": "Advisory2025-01_VDE-2025-001: CODESYS Key physical side-channel vulnerability - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2025-001/"
      },
      {
        "category": "self",
        "summary": "Advisory2025-01_VDE-2025-001: CODESYS Key physical side-channel vulnerability - CSAF",
        "url": "https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2025/advisory2025-01_vde-2025-001.json"
      },
      {
        "category": "external",
        "summary": "CODESYS Security Advisories",
        "url": "https://www.codesys.com/security/security-reports.html"
      },
      {
        "category": "self",
        "summary": "Advisory2025-01_VDE-2025-001: CODESYS Key physical side-channel vulnerability - PDF",
        "url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=18751\u0026token=67384bc706d606a395afb3c0a0a794e49cc8d27d\u0026download="
      }
    ],
    "title": "CODESYS Key physical side-channel vulnerability",
    "tracking": {
      "aliases": [
        "VDE-2025-001",
        "CODESYS Security Advisory 2025-01"
      ],
      "current_release_date": "2025-06-05T13:31:01.000Z",
      "generator": {
        "date": "2025-01-22T07:12:50.885Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.16"
        }
      },
      "id": "Advisory2025-01_VDE-2025-001",
      "initial_release_date": "2025-01-21T11:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-01-14T11:00:00.000Z",
          "number": "1",
          "summary": "Initial revision."
        },
        {
          "date": "2025-06-05T13:31:01.000Z",
          "number": "2",
          "summary": "Fix: version space"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version",
                    "name": "series 3",
                    "product": {
                      "name": "CODESYS Key series 3",
                      "product_id": "CSAFPID-11001",
                      "product_identification_helper": {
                        "serial_numbers": [
                          "3-???????"
                        ]
                      }
                    }
                  }
                ],
                "category": "product_name",
                "name": "CODESYS Key"
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c4.52",
                "product": {
                  "name": "Firmware \u003c4.52",
                  "product_id": "CSAFPID-21001"
                }
              },
              {
                "category": "product_version",
                "name": "4.52",
                "product": {
                  "name": "Firmware 4.52",
                  "product_id": "CSAFPID-22001"
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          }
        ],
        "category": "vendor",
        "name": "CODESYS"
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c4.52 installed on CODESYS Key series 3",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 4.52 installed on CODESYS Key series 3",
          "product_id": "CSAFPID-32001"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11001"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-45678",
      "cwe": {
        "id": "CWE-203",
        "name": "Observable Discrepancy"
      },
      "notes": [
        {
          "audience": "all",
          "category": "description",
          "text": "Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue. Other uses of an Infineon cryptographic library may also be affected.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001"
        ],
        "known_affected": [
          "CSAFPID-31001"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Update the CODESYS Key firmware to version 4.52.\n\nUpdating the firmware also protects the future usage of additional CODESYS Key features by the CODESYS software and general usage by other software. The update can be installed, for example, via the CodeMeter Control Center. ",
          "product_ids": [
            "CSAFPID-31001"
          ]
        },
        {
          "category": "mitigation",
          "details": "Regardless of the vulnerability described here, CODESYS GmbH recommends that physical access to the CODESYS Key should only be granted to authorized persons. Especially in the case of productive control systems, removal of the CODESYS Key can affect the controlled machine or process.\n\nThis generally recommended restriction of access also reduces the attack surface for this vulnerability, as its exploitation requires physical access. ",
          "product_ids": [
            "CSAFPID-31001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 4.9,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "temporalScore": 4.9,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001"
          ]
        }
      ],
      "title": "CVE-2024-45678"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.