VDE-2020-030
Vulnerability from csaf_phoenixcontactgmbhcokg - Published: 2020-09-09 06:22 - Updated: 2020-09-09 06:22Summary
PHOENIX CONTACT: Products utilizing WIBU-SYSTEMS CodeMeter components
Notes
Summary: Several vulnerabilities have been discovered in WIBU-SYSTEMS CodeMeter and published 08 September 2020. Phoenix Contact is only affected by a subset of these vulnerabilities.
Phoenix Contact products are not affected by vulnerabilities WIBU-200521-01 (CVE-2020- 14513), WIBU-200521-04 (CVE-2020-14517, and WIBU-200521-06 (CVE-2020-14515). For further Information please refer to WIBU Advisories directly at https://wibu.com/support/security-advisories.html
Impact: | **WIBU Security Advisory** | **CVE Number** | **Description** | **Phoenix Contact products according table above** |
|----------------------------|-----------------------------|----------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------|
| WIBU-200521-01 | CVE-2020-14513 **Score:** 7.5 | Improper Input Validation of WibuRaU files in CodeMeter Runtime | **Products are not affected** as Phoenix Contact is using a Universal Firm Code |
| WIBU-200521-02 | CVE-2020-14519 **Score:** 8.1 | CodeMeter Runtime WebSockets API: Missing Origin Validation | **Products are affected** according to WIBU Systems classification |
| WIBU-200521-03 | CVE-2020-14509 **Score:** 10.0 | CodeMeter Runtime DoS due to Buffer Access with Incorrect Length Value | **Products are affected** according to WIBU Systems classification |
| WIBU-200521-04 | CVE-2020-14517 **Score:** 9.4 | CodeMeter Runtime API: Inadequate Encryption Strength and Authentication | **Products are not affected** as Phoenix Contact is using AxProtector |
| WIBU-200521-05 | CVE-2020-16233 **Score:** 7.5 | CodeMeter Runtime API: Heap Leak | **Products are affected** according to WIBU Systems classification |
| WIBU-200521-06 | CVE-2020-14515 **Score:** 7.4 | Improper Signature Verification of CmActLicense update files for CmActLicense Firm Code | **Products are not affected** as Phoenix Contact is using a Universal Firm Code |
Phoenix Contact devices using CodeMeter embedded are not affected by these vulnerabilities. According to WIBU SYSTEMS Universal Firm Codes (UFC) used by Phoenix Contact are not affected.
Mitigation: Use general security best practices to protect systems from local and network attacks like described in the application note AH EN INDUSTRIAL SECURITY.
Disable the CodeMeter Runtime WebSockets API.
Run CodeMeter only as client and use localhost as binding for the CodeMeter communication. If you need to operate CodeMeter Runtime as Network License Server please make sure that it is operated in a secure environment.
For detailed information please refer to WIBU Systems original Advisories.
Remediation: WIBU-SYSTEMS has released a new CodeMeter Runtime version 7.10 to fix the known vulnerabilities and may continue to release further updated versions in the future.
Phoenix Contact has released a new version of Activation Wizard 1.3.2, used for activation and deactivation of licenses, installing CodeMeter Runtime 7.10 on Windows PCs.
After installation of Activation Wizard 1.3.2 all installed products using CodeMeter Runtime will use the latest CodeMeter Runtime 7.10 version.
Activation Wizard 1.3.2 contains the official fix of WIBU-SYSTEMS for the known variabilities and is disabling the WebSockets API like recommended by WIBU-SYSTEMS.
We strongly recommend downloading and installing Activation Wizard 1.3.2 or higher as the CVSS Score of the vulnerabilities are critical and high. Activation Wizard is available via the download areas of PLCnext Engineer, FL Network Manager, or EV Charging Suite.
Since there can only be one installation of CodeMeter Runtime on a system, installing the latest version of CodeMeter Runtime as being included in Activation Wizard will fix the vulnerabilities for all other applications using CodeMeter Runtime as well.
Please check your products web site for further updates regularly or register to Phoenix Contact PSIRT information's to receive latest updates about security advisories.
Phoenix Contact recommends following security best practices to protect systems from local and network attacks as described in the application note AH EN INDUSTRIAL SECURITY.
An attacker could send a specially crafted packet that could have CodeMeter (All versions prior to 7.10) send back packets containing data from the heap.
7.5 (High)
Mitigation
Use general security best practices to protect systems from local and network attacks like described in the application note AH EN INDUSTRIAL SECURITY.
Disable the CodeMeter Runtime WebSockets API.
Run CodeMeter only as client and use localhost as binding for the CodeMeter communication. If you need to operate CodeMeter Runtime as Network License Server please make sure that it is operated in a secure environment.
For detailed information please refer to WIBU Systems original Advisories.
Vendor Fix
WIBU-SYSTEMS has released a new CodeMeter Runtime version 7.10 to fix the known vulnerabilities and may continue to release further updated versions in the future.
Phoenix Contact has released a new version of Activation Wizard 1.3.2, used for activation and deactivation of licenses, installing CodeMeter Runtime 7.10 on Windows PCs.
After installation of Activation Wizard 1.3.2 all installed products using CodeMeter Runtime will use the latest CodeMeter Runtime 7.10 version.
Activation Wizard 1.3.2 contains the official fix of WIBU-SYSTEMS for the known variabilities and is disabling the WebSockets API like recommended by WIBU-SYSTEMS.
We strongly recommend downloading and installing Activation Wizard 1.3.2 or higher as the CVSS Score of the vulnerabilities are critical and high. Activation Wizard is available via the download areas of PLCnext Engineer, FL Network Manager, or EV Charging Suite.
Since there can only be one installation of CodeMeter Runtime on a system, installing the latest version of CodeMeter Runtime as being included in Activation Wizard will fix the vulnerabilities for all other applications using CodeMeter Runtime as well.
Please check your products web site for further updates regularly or register to Phoenix Contact PSIRT information's to receive latest updates about security advisories.
Phoenix Contact recommends following security best practices to protect systems from local and network attacks as described in the application note AH EN INDUSTRIAL SECURITY.
Multiple memory corruption vulnerabilities exist in CodeMeter (All versions prior to 7.10) where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities.
9.8 (Critical)
Mitigation
Use general security best practices to protect systems from local and network attacks like described in the application note AH EN INDUSTRIAL SECURITY.
Disable the CodeMeter Runtime WebSockets API.
Run CodeMeter only as client and use localhost as binding for the CodeMeter communication. If you need to operate CodeMeter Runtime as Network License Server please make sure that it is operated in a secure environment.
For detailed information please refer to WIBU Systems original Advisories.
Vendor Fix
WIBU-SYSTEMS has released a new CodeMeter Runtime version 7.10 to fix the known vulnerabilities and may continue to release further updated versions in the future.
Phoenix Contact has released a new version of Activation Wizard 1.3.2, used for activation and deactivation of licenses, installing CodeMeter Runtime 7.10 on Windows PCs.
After installation of Activation Wizard 1.3.2 all installed products using CodeMeter Runtime will use the latest CodeMeter Runtime 7.10 version.
Activation Wizard 1.3.2 contains the official fix of WIBU-SYSTEMS for the known variabilities and is disabling the WebSockets API like recommended by WIBU-SYSTEMS.
We strongly recommend downloading and installing Activation Wizard 1.3.2 or higher as the CVSS Score of the vulnerabilities are critical and high. Activation Wizard is available via the download areas of PLCnext Engineer, FL Network Manager, or EV Charging Suite.
Since there can only be one installation of CodeMeter Runtime on a system, installing the latest version of CodeMeter Runtime as being included in Activation Wizard will fix the vulnerabilities for all other applications using CodeMeter Runtime as well.
Please check your products web site for further updates regularly or register to Phoenix Contact PSIRT information's to receive latest updates about security advisories.
Phoenix Contact recommends following security best practices to protect systems from local and network attacks as described in the application note AH EN INDUSTRIAL SECURITY.
This vulnerability allows an attacker to use the internal WebSockets API for CodeMeter (All versions prior to 7.00 are affected, including Version 7.0 or newer with the affected WebSockets API still enabled. This is especially relevant for systems or devices where a web browser is used to access a web server) via a specifically crafted Java Script payload, which may allow alteration or creation of license files for when combined with CVE-2020-14515.
7.5 (High)
Mitigation
Use general security best practices to protect systems from local and network attacks like described in the application note AH EN INDUSTRIAL SECURITY.
Disable the CodeMeter Runtime WebSockets API.
Run CodeMeter only as client and use localhost as binding for the CodeMeter communication. If you need to operate CodeMeter Runtime as Network License Server please make sure that it is operated in a secure environment.
For detailed information please refer to WIBU Systems original Advisories.
Vendor Fix
WIBU-SYSTEMS has released a new CodeMeter Runtime version 7.10 to fix the known vulnerabilities and may continue to release further updated versions in the future.
Phoenix Contact has released a new version of Activation Wizard 1.3.2, used for activation and deactivation of licenses, installing CodeMeter Runtime 7.10 on Windows PCs.
After installation of Activation Wizard 1.3.2 all installed products using CodeMeter Runtime will use the latest CodeMeter Runtime 7.10 version.
Activation Wizard 1.3.2 contains the official fix of WIBU-SYSTEMS for the known variabilities and is disabling the WebSockets API like recommended by WIBU-SYSTEMS.
We strongly recommend downloading and installing Activation Wizard 1.3.2 or higher as the CVSS Score of the vulnerabilities are critical and high. Activation Wizard is available via the download areas of PLCnext Engineer, FL Network Manager, or EV Charging Suite.
Since there can only be one installation of CodeMeter Runtime on a system, installing the latest version of CodeMeter Runtime as being included in Activation Wizard will fix the vulnerabilities for all other applications using CodeMeter Runtime as well.
Please check your products web site for further updates regularly or register to Phoenix Contact PSIRT information's to receive latest updates about security advisories.
Phoenix Contact recommends following security best practices to protect systems from local and network attacks as described in the application note AH EN INDUSTRIAL SECURITY.
References
Acknowledgments
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
},
{
"names": [
"Tal Keren",
"Sharon Brizinov"
],
"organization": "Claroty",
"summary": "reporting"
},
{
"organization": "WIBU-Systems",
"summary": "reporting"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "Several vulnerabilities have been discovered in WIBU-SYSTEMS CodeMeter and published 08 September 2020. Phoenix Contact is only affected by a subset of these vulnerabilities.\n\nPhoenix Contact products are not affected by vulnerabilities WIBU-200521-01 (CVE-2020- 14513), WIBU-200521-04 (CVE-2020-14517, and WIBU-200521-06 (CVE-2020-14515). For further Information please refer to WIBU Advisories directly at https://wibu.com/support/security-advisories.html",
"title": "Summary"
},
{
"category": "description",
"text": "| **WIBU Security Advisory** | **CVE Number** | **Description** | **Phoenix Contact products according table above** |\n|----------------------------|-----------------------------|----------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------|\n| WIBU-200521-01 | CVE-2020-14513 **Score:** 7.5 | Improper Input Validation of WibuRaU files in CodeMeter Runtime | **Products are not affected** as Phoenix Contact is using a Universal Firm Code |\n| WIBU-200521-02 | CVE-2020-14519 **Score:** 8.1 | CodeMeter Runtime WebSockets API: Missing Origin Validation | **Products are affected** according to WIBU Systems classification |\n| WIBU-200521-03 | CVE-2020-14509 **Score:** 10.0 | CodeMeter Runtime DoS due to Buffer Access with Incorrect Length Value | **Products are affected** according to WIBU Systems classification |\n| WIBU-200521-04 | CVE-2020-14517 **Score:** 9.4 | CodeMeter Runtime API: Inadequate Encryption Strength and Authentication | **Products are not affected** as Phoenix Contact is using AxProtector |\n| WIBU-200521-05 | CVE-2020-16233 **Score:** 7.5 | CodeMeter Runtime API: Heap Leak | **Products are affected** according to WIBU Systems classification |\n| WIBU-200521-06 | CVE-2020-14515 **Score:** 7.4 | Improper Signature Verification of CmActLicense update files for CmActLicense Firm Code | **Products are not affected** as Phoenix Contact is using a Universal Firm Code |\n\nPhoenix Contact devices using CodeMeter embedded are not affected by these vulnerabilities. According to WIBU SYSTEMS Universal Firm Codes (UFC) used by Phoenix Contact are not affected.",
"title": "Impact"
},
{
"category": "description",
"text": "Use general security best practices to protect systems from local and network attacks like described in the application note AH EN INDUSTRIAL SECURITY.\nDisable the CodeMeter Runtime WebSockets API.\nRun CodeMeter only as client and use localhost as binding for the CodeMeter communication. If you need to operate CodeMeter Runtime as Network License Server please make sure that it is operated in a secure environment.\n\nFor detailed information please refer to WIBU Systems original Advisories.",
"title": "Mitigation"
},
{
"category": "description",
"text": "WIBU-SYSTEMS has released a new CodeMeter Runtime version 7.10 to fix the known vulnerabilities and may continue to release further updated versions in the future.\n\nPhoenix Contact has released a new version of Activation Wizard 1.3.2, used for activation and deactivation of licenses, installing CodeMeter Runtime 7.10 on Windows PCs.\nAfter installation of Activation Wizard 1.3.2 all installed products using CodeMeter Runtime will use the latest CodeMeter Runtime 7.10 version.\nActivation Wizard 1.3.2 contains the official fix of WIBU-SYSTEMS for the known variabilities and is disabling the WebSockets API like recommended by WIBU-SYSTEMS.\n\nWe strongly recommend downloading and installing Activation Wizard 1.3.2 or higher as the CVSS Score of the vulnerabilities are critical and high. Activation Wizard is available via the download areas of PLCnext Engineer, FL Network Manager, or EV Charging Suite.\nSince there can only be one installation of CodeMeter Runtime on a system, installing the latest version of CodeMeter Runtime as being included in Activation Wizard will fix the vulnerabilities for all other applications using CodeMeter Runtime as well.\n\nPlease check your products web site for further updates regularly or register to Phoenix Contact PSIRT information\u0027s to receive latest updates about security advisories.\n\nPhoenix Contact recommends following security best practices to protect systems from local and network attacks as described in the application note AH EN INDUSTRIAL SECURITY.",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@phoenixcontact.com",
"name": "Phoenix Contact GmbH \u0026 Co. KG",
"namespace": "https://phoenixcontact.com/psirt"
},
"references": [
{
"category": "self",
"summary": "VDE-2020-030: PHOENIX CONTACT: Products utilizing WIBU-SYSTEMS CodeMeter components - HTML",
"url": "https://certvde.com/en/advisories/VDE-2020-030/"
},
{
"category": "self",
"summary": "VDE-2020-030: PHOENIX CONTACT: Products utilizing WIBU-SYSTEMS CodeMeter components - CSAF",
"url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2020/vde-2020-030.json"
},
{
"category": "external",
"summary": "Vendor PSIRT",
"url": "https://phoenixcontact.com/psirt"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for Phoenix Contact GmbH \u0026 Co. KG",
"url": "https://certvde.com/en/advisories/vendor/phoenixcontact/"
}
],
"title": "PHOENIX CONTACT: Products utilizing WIBU-SYSTEMS CodeMeter components",
"tracking": {
"aliases": [
"VDE-2020-030"
],
"current_release_date": "2020-09-09T06:22:00.000Z",
"generator": {
"date": "2025-06-11T14:08:34.129Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.27"
}
},
"id": "VDE-2020-030",
"initial_release_date": "2020-09-09T06:22:00.000Z",
"revision_history": [
{
"date": "2020-09-09T06:22:00.000Z",
"number": "1.0.0",
"summary": "Initial revision."
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=1.7.3",
"product": {
"name": "E-Mobility Charging Suite license codes for EV Charging Suite Setup \u003c=1.7.3",
"product_id": "CSAFPID-51001",
"product_identification_helper": {
"model_numbers": [
"1086921"
]
}
}
}
],
"category": "product_name",
"name": "E-Mobility Charging Suite license codes for EV Charging Suite Setup"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=4.20",
"product": {
"name": "FL Network Manager \u003c=4.20",
"product_id": "CSAFPID-51002",
"product_identification_helper": {
"model_numbers": [
"2702889"
]
}
}
}
],
"category": "product_name",
"name": "FL Network Manager"
},
{
"branches": [
{
"category": "product_version",
"name": "1.7.0",
"product": {
"name": "IOL-CONF 1.7.0",
"product_id": "CSAFPID-51003",
"product_identification_helper": {
"model_numbers": [
"1083065"
]
}
}
}
],
"category": "product_name",
"name": "IOL-CONF"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=2020.06",
"product": {
"name": "PC Worx Engineer \u003c=2020.06",
"product_id": "CSAFPID-51004",
"product_identification_helper": {
"model_numbers": [
"1046008"
]
}
}
}
],
"category": "product_name",
"name": "PC Worx Engineer"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=2020.06",
"product": {
"name": "PLCnext Engineer EDU LIC \u003c=2020.06",
"product_id": "CSAFPID-51005",
"product_identification_helper": {
"model_numbers": [
"1165889"
]
}
}
}
],
"category": "product_name",
"name": "PLCnext Engineer EDU LIC"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "Vendor"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005"
],
"summary": "Affected products."
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-16233",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "description",
"text": "An attacker could send a specially crafted packet that could have CodeMeter (All versions prior to 7.10) send back packets containing data from the heap.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Use general security best practices to protect systems from local and network attacks like described in the application note AH EN INDUSTRIAL SECURITY.\nDisable the CodeMeter Runtime WebSockets API.\nRun CodeMeter only as client and use localhost as binding for the CodeMeter communication. If you need to operate CodeMeter Runtime as Network License Server please make sure that it is operated in a secure environment.\n\nFor detailed information please refer to WIBU Systems original Advisories.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "WIBU-SYSTEMS has released a new CodeMeter Runtime version 7.10 to fix the known vulnerabilities and may continue to release further updated versions in the future.\n\nPhoenix Contact has released a new version of Activation Wizard 1.3.2, used for activation and deactivation of licenses, installing CodeMeter Runtime 7.10 on Windows PCs.\nAfter installation of Activation Wizard 1.3.2 all installed products using CodeMeter Runtime will use the latest CodeMeter Runtime 7.10 version.\nActivation Wizard 1.3.2 contains the official fix of WIBU-SYSTEMS for the known variabilities and is disabling the WebSockets API like recommended by WIBU-SYSTEMS.\n\nWe strongly recommend downloading and installing Activation Wizard 1.3.2 or higher as the CVSS Score of the vulnerabilities are critical and high. Activation Wizard is available via the download areas of PLCnext Engineer, FL Network Manager, or EV Charging Suite.\nSince there can only be one installation of CodeMeter Runtime on a system, installing the latest version of CodeMeter Runtime as being included in Activation Wizard will fix the vulnerabilities for all other applications using CodeMeter Runtime as well.\n\nPlease check your products web site for further updates regularly or register to Phoenix Contact PSIRT information\u0027s to receive latest updates about security advisories.\n\nPhoenix Contact recommends following security best practices to protect systems from local and network attacks as described in the application note AH EN INDUSTRIAL SECURITY.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005"
]
}
],
"title": "CVE-2020-16233"
},
{
"cve": "CVE-2020-14509",
"cwe": {
"id": "CWE-805",
"name": "Buffer Access with Incorrect Length Value"
},
"notes": [
{
"category": "description",
"text": "Multiple memory corruption vulnerabilities exist in CodeMeter (All versions prior to 7.10) where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Use general security best practices to protect systems from local and network attacks like described in the application note AH EN INDUSTRIAL SECURITY.\nDisable the CodeMeter Runtime WebSockets API.\nRun CodeMeter only as client and use localhost as binding for the CodeMeter communication. If you need to operate CodeMeter Runtime as Network License Server please make sure that it is operated in a secure environment.\n\nFor detailed information please refer to WIBU Systems original Advisories.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "WIBU-SYSTEMS has released a new CodeMeter Runtime version 7.10 to fix the known vulnerabilities and may continue to release further updated versions in the future.\n\nPhoenix Contact has released a new version of Activation Wizard 1.3.2, used for activation and deactivation of licenses, installing CodeMeter Runtime 7.10 on Windows PCs.\nAfter installation of Activation Wizard 1.3.2 all installed products using CodeMeter Runtime will use the latest CodeMeter Runtime 7.10 version.\nActivation Wizard 1.3.2 contains the official fix of WIBU-SYSTEMS for the known variabilities and is disabling the WebSockets API like recommended by WIBU-SYSTEMS.\n\nWe strongly recommend downloading and installing Activation Wizard 1.3.2 or higher as the CVSS Score of the vulnerabilities are critical and high. Activation Wizard is available via the download areas of PLCnext Engineer, FL Network Manager, or EV Charging Suite.\nSince there can only be one installation of CodeMeter Runtime on a system, installing the latest version of CodeMeter Runtime as being included in Activation Wizard will fix the vulnerabilities for all other applications using CodeMeter Runtime as well.\n\nPlease check your products web site for further updates regularly or register to Phoenix Contact PSIRT information\u0027s to receive latest updates about security advisories.\n\nPhoenix Contact recommends following security best practices to protect systems from local and network attacks as described in the application note AH EN INDUSTRIAL SECURITY.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005"
]
}
],
"title": "CVE-2020-14509"
},
{
"cve": "CVE-2020-14519",
"cwe": {
"id": "CWE-346",
"name": "Origin Validation Error"
},
"notes": [
{
"category": "description",
"text": "This vulnerability allows an attacker to use the internal WebSockets API for CodeMeter (All versions prior to 7.00 are affected, including Version 7.0 or newer with the affected WebSockets API still enabled. This is especially relevant for systems or devices where a web browser is used to access a web server) via a specifically crafted Java Script payload, which may allow alteration or creation of license files for when combined with CVE-2020-14515.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Use general security best practices to protect systems from local and network attacks like described in the application note AH EN INDUSTRIAL SECURITY.\nDisable the CodeMeter Runtime WebSockets API.\nRun CodeMeter only as client and use localhost as binding for the CodeMeter communication. If you need to operate CodeMeter Runtime as Network License Server please make sure that it is operated in a secure environment.\n\nFor detailed information please refer to WIBU Systems original Advisories.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "WIBU-SYSTEMS has released a new CodeMeter Runtime version 7.10 to fix the known vulnerabilities and may continue to release further updated versions in the future.\n\nPhoenix Contact has released a new version of Activation Wizard 1.3.2, used for activation and deactivation of licenses, installing CodeMeter Runtime 7.10 on Windows PCs.\nAfter installation of Activation Wizard 1.3.2 all installed products using CodeMeter Runtime will use the latest CodeMeter Runtime 7.10 version.\nActivation Wizard 1.3.2 contains the official fix of WIBU-SYSTEMS for the known variabilities and is disabling the WebSockets API like recommended by WIBU-SYSTEMS.\n\nWe strongly recommend downloading and installing Activation Wizard 1.3.2 or higher as the CVSS Score of the vulnerabilities are critical and high. Activation Wizard is available via the download areas of PLCnext Engineer, FL Network Manager, or EV Charging Suite.\nSince there can only be one installation of CodeMeter Runtime on a system, installing the latest version of CodeMeter Runtime as being included in Activation Wizard will fix the vulnerabilities for all other applications using CodeMeter Runtime as well.\n\nPlease check your products web site for further updates regularly or register to Phoenix Contact PSIRT information\u0027s to receive latest updates about security advisories.\n\nPhoenix Contact recommends following security best practices to protect systems from local and network attacks as described in the application note AH EN INDUSTRIAL SECURITY.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005"
]
}
],
"title": "CVE-2020-14519"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…