FSA-202206
Vulnerability from csaf_festosecokg - Published: 2022-12-13 11:50 - Updated: 2025-10-01 10:50Summary
Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple products
Notes
Summary: A vulnerability was reported in WIBU-SYSTEMS CodeMeter Runtime. WIBU-SYSTEMS CodeMeter Runtime is part of the installation packages of several Festo products.FluidDraw < 6.2c and CIROS <= 7.0.6 contain a vulnerable version of WIBU-SYSTEMS CodeMeter Runtime.
Remediation: ### FluidDraw P5, FluidDraw P6
Avoid any FluidDraw installation with a FluidDraw installation package below version 6.2c.
Updated versions of FluidDraw are available on the Festo website.
In case of a FluidDraw installation package with a version below 6.2c:
- **Do not use** the WIBU CodeMeter package that is part of the FluidDraw installation package.
- Skip the CodeMeter installation step during the FluidDraw installation.
- Instead, use a current CodeMeter version from the WIBU website and install it separately.
- In case of an already installed vulnerable CodeMeter version, update all these WIBU CodeMeter installations with the current version of WIBU CodeMeter.
> Please refer to the WIBU CodeMeter documentation and website for further details and mitigations on usage of WIBU CodeMeter Runtime before 7.30a.
---
### CIROS
For future installations:
- Use a CIROS installer downloaded from [https://ip.festo-didactic.com/](https://ip.festo-didactic.com/)
- Make sure it is downloaded **after September 15, 2022**
For existing installations:
- Update the WIBU CodeMeter Runtime separately to at least **version 7.30a** (downloaded from the WIBU Systems website).
- Refer to the WIBU CodeMeter documentation and website for further details and mitigations.
---
## MES PC
If your copy of MES4 came preinstalled on a PC shipped **before December 2022**:
- Ensure the PC has at least **CodeMeter Runtime 7.30a** installed.
- If necessary, download the update from the WIBU Systems website.
---
### Additional to the above
Festo strongly recommends:
- Restricting **unprivileged access** to machines running Festo software.
- Minimizing and protecting **network access** to connected devices using state-of-the-art techniques and processes.
> For secure operation, follow the recommendations in the product manuals.
Disclaimer: Festo assumes no liability whatsoever for indirect, collateral, accidental or consequential losses that occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided free of charge and on good faith by Festo. Insofar as permissible by law, however, none of this information shall establish any warranty, guarantee, commitment, or liability on the part of Festo.\n\nNote: In no case does this information release the operator or responsible person from the obligation to check the effect on his system or installation before using the information and, in the event of negative consequences, not to use the information.\n\nIn addition, the actual general terms, and conditions for delivery, payment and software use of Festo, available under http://www.festo.com and the special provisions for the use of Festo Security Advisory available at https://www.festo.com/psirt shall apply.
In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.
7.1 (High)
Vendor Fix
FluidDraw P5, FluidDraw P6
Avoid any FluidDraw installation with a FluidDraw installation package below version 6.2c. Updated versions of FluidDraw are available on the Festo website.
In case of a FluidDraw installation package with a version below 6.2c, do not use the WIBU CodeMeter package, that is part of the FluidDraw installation package. Skip the CodeMeter installation step during the FluidDraw installation and instead use a current CodeMeter version from the WIBU website and install that separately. In case of an already installed vulnerable CodeMeter version, update all of these WIBU CodeMeter installations with the current version of WIBU CodeMeter.
Please refer to the WIBU CodeMeter documentation and website for further details and mitigations on usage of WIBU CodeMeter Runtime before 7.30a.
CIROS
For future installations, ensure you're using a CIROS installer downloaded from https://ip.festo-didactic.com/ Infoportal/CIROS/EN/Download.html after September 15, 2022. For existing installations, update the WIBU CodeMeter Runtime separately with at least version 7.30a downloaded from the WIBU Systems website. Please refer to the WIBU CodeMeter documentation and website for further details and mitigations on usage of WIBU CodeMeter Runtime before 7.30a.
MES PC
If your copy of MES4 came preinstalled on a PC shipped before December 2022, you'll need to make sure this PC has at least CodeMeter Runtime 7.30a installed. If necessary, download the update from the WIBU Systems website.
Additional to the above:
Festo strongly recommends to restrict unprivileged access to machines running Festo software and to minimize and protect network access to connected devices with state of the art techniques and processes.
For a secure operation follow the recommendations in the product manuals.
References
Acknowledgments
CERT@VDE
certvde.com
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination and support with this publication",
"urls": [
"https://certvde.com"
]
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "summary",
"text": "A vulnerability\u00a0was\u00a0reported in WIBU-SYSTEMS CodeMeter Runtime. WIBU-SYSTEMS CodeMeter Runtime is part of the installation packages of several Festo products.FluidDraw \u003c 6.2c and CIROS \u003c= 7.0.6 contain a vulnerable version of WIBU-SYSTEMS CodeMeter Runtime.",
"title": "Summary"
},
{
"category": "description",
"text": "### FluidDraw P5, FluidDraw P6\n\nAvoid any FluidDraw installation with a FluidDraw installation package below version 6.2c. \nUpdated versions of FluidDraw are available on the Festo website.\n\nIn case of a FluidDraw installation package with a version below 6.2c:\n\n- **Do not use** the WIBU CodeMeter package that is part of the FluidDraw installation package.\n- Skip the CodeMeter installation step during the FluidDraw installation.\n- Instead, use a current CodeMeter version from the WIBU website and install it separately.\n- In case of an already installed vulnerable CodeMeter version, update all these WIBU CodeMeter installations with the current version of WIBU CodeMeter.\n\n\u003e Please refer to the WIBU CodeMeter documentation and website for further details and mitigations on usage of WIBU CodeMeter Runtime before 7.30a.\n\n---\n\n### CIROS\n\nFor future installations:\n\n- Use a CIROS installer downloaded from [https://ip.festo-didactic.com/](https://ip.festo-didactic.com/) \n- Make sure it is downloaded **after September 15, 2022**\n\nFor existing installations:\n\n- Update the WIBU CodeMeter Runtime separately to at least **version 7.30a** (downloaded from the WIBU Systems website).\n- Refer to the WIBU CodeMeter documentation and website for further details and mitigations.\n\n---\n\n## MES PC\n\nIf your copy of MES4 came preinstalled on a PC shipped **before December 2022**:\n\n- Ensure the PC has at least **CodeMeter Runtime 7.30a** installed.\n- If necessary, download the update from the WIBU Systems website.\n\n---\n\n### Additional to the above\n\nFesto strongly recommends:\n\n- Restricting **unprivileged access** to machines running Festo software.\n- Minimizing and protecting **network access** to connected devices using state-of-the-art techniques and processes.\n\n\u003e For secure operation, follow the recommendations in the product manuals.",
"title": "Remediation"
},
{
"category": "legal_disclaimer",
"text": "Festo assumes no liability whatsoever for indirect, collateral, accidental or consequential losses that occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided free of charge and on good faith by Festo. Insofar as permissible by law, however, none of this information shall establish any warranty, guarantee, commitment, or liability on the part of Festo.\\n\\nNote: In no case does this information release the operator or responsible person from the obligation to check the effect on his system or installation before using the information and, in the event of negative consequences, not to use the information.\\n\\nIn addition, the actual general terms, and conditions for delivery, payment and software use of Festo, available under http://www.festo.com and the special provisions for the use of Festo Security Advisory available at https://www.festo.com/psirt shall apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@festo.com",
"name": "Festo SE \u0026 Co. KG",
"namespace": "https://festo.com"
},
"references": [
{
"category": "self",
"summary": "FSA-202206: Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple products - HTML",
"url": "https://certvde.com/en/advisories/VDE-2022-038/"
},
{
"category": "self",
"summary": "FSA-202206: Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple products - CSAF",
"url": "https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2022/fsa-202206.json"
},
{
"category": "external",
"summary": "For further security-related issues in Festo products please contact the Festo Product Security Incident Response Team (PSIRT)",
"url": "https://festo.com/psirt"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories",
"url": "https://certvde.com/en/advisories/vendor/festo/"
},
{
"category": "external",
"summary": "WIBU Systems Security Advisory WIBU-210910-01",
"url": "https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf"
},
{
"category": "external",
"summary": "CVE-2021-41057",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41057"
}
],
"title": "Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple products",
"tracking": {
"aliases": [
"VDE-2022-038"
],
"current_release_date": "2025-10-01T10:50:00.000Z",
"generator": {
"date": "2025-10-02T08:24:43.077Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.36"
}
},
"id": "FSA-202206",
"initial_release_date": "2022-12-13T11:50:00.000Z",
"revision_history": [
{
"date": "2022-12-13T11:50:00.000Z",
"number": "1.0.0",
"summary": "Initial revision."
},
{
"date": "2024-01-11T10:00:00.000Z",
"legacy_version": "1.01",
"number": "1.0.1",
"summary": "Adjust link to VDE Advisory"
},
{
"date": "2025-10-01T10:50:00.000Z",
"number": "1.0.2",
"summary": "Adjusted to VDE template. Changed title from \"Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple Festo products\" to \"Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple products\"."
}
],
"status": "final",
"version": "1.0.2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=6.4.6(before 2022-09-15)",
"product": {
"name": "CIROS \u003c=6.4.6 (before 2022-09-15)",
"product_id": "CSAFPID-51001",
"product_identification_helper": {
"model_numbers": [
"8038980"
],
"x_generic_uris": [
{
"namespace": "Festo:Partnumber",
"uri": "Festo:Partnumber:8038980"
}
]
}
}
},
{
"category": "product_version_range",
"name": "\u003c=7.0.6(before 2022-09-15)",
"product": {
"name": "CIROS \u003c=7.0.6 (before 2022-09-15)",
"product_id": "CSAFPID-51002",
"product_identification_helper": {
"model_numbers": [
"8140772",
"8140773"
],
"x_generic_uris": [
{
"namespace": "Festo:Partnumber",
"uri": "Festo:Partnumber:8140772"
},
{
"namespace": "Festo:Partnumber",
"uri": "Festo:Partnumber:8140773"
}
]
}
}
}
],
"category": "product_name",
"name": "CIROS"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "FluidDraw P5 vers:all/*",
"product_id": "CSAFPID-51003"
}
}
],
"category": "product_name",
"name": "FluidDraw P5"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c6.2c",
"product": {
"name": "FluidDraw P6 \u003c6.2c",
"product_id": "CSAFPID-51004"
}
}
],
"category": "product_name",
"name": "FluidDraw P6"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "MES PC vers:all/*",
"product_id": "CSAFPID-51005"
}
}
],
"category": "product_name",
"name": "MES PC"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "Festo"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005"
],
"summary": "Affected products."
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-41057",
"cwe": {
"id": "CWE-59",
"name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
},
"notes": [
{
"category": "description",
"text": "In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "FluidDraw P5, FluidDraw P6\nAvoid any FluidDraw installation with a FluidDraw installation package below version 6.2c. Updated versions of FluidDraw are available on the Festo website.\nIn case of a FluidDraw installation package with a version below 6.2c, do not use the WIBU CodeMeter package, that is part of the FluidDraw installation package. Skip the CodeMeter installation step during the FluidDraw installation and instead use a current CodeMeter version from the WIBU website and install that separately. In case of an already installed vulnerable CodeMeter version, update all of these WIBU CodeMeter installations with the current version of WIBU CodeMeter.\nPlease refer to the WIBU CodeMeter documentation and website for further details and mitigations on usage of WIBU CodeMeter Runtime before 7.30a.\n\n\n\n\nCIROS\nFor future installations, ensure you\u0027re using a CIROS installer downloaded from https://ip.festo-didactic.com/ Infoportal/CIROS/EN/Download.html after September 15, 2022. For existing installations, update the WIBU CodeMeter Runtime separately with at least version 7.30a downloaded from the WIBU Systems website. Please refer to the WIBU CodeMeter documentation and website for further details and mitigations on usage of WIBU CodeMeter Runtime before 7.30a.\nMES PC\nIf your copy of MES4 came preinstalled on a PC shipped before December 2022, you\u0027ll need to make sure this PC has at least CodeMeter Runtime 7.30a installed. If necessary, download the update from the WIBU Systems website.\nAdditional to the above:\n\n\n\n\n\n\n\n\nFesto strongly recommends to restrict unprivileged access to machines running Festo software and to minimize and protect network access to connected devices with state of the art techniques and processes. \nFor a secure operation follow the recommendations in the product manuals.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.1,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.1,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005"
]
}
],
"title": "CVE-2021-41057"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…