VDE-2020-033
Vulnerability from csaf_pilzgmbhcokg - Published: 2020-09-10 13:18 - Updated: 2025-05-14 12:28Summary
Pilz: Multiple products prone to WIBU-SYSTEMS CodeMeter vulnerabilities
Notes
Summary: A number of Pilz software tools use the Software CodeMeter Runtime application from WIBU-SYSTEMS AG to manage licences. This application contains a number of vulnerabilities, which enable an attacker to change and falsify a licence file, prevent normal operation of Code- Meter (Denial-of-Service) and potentially execute arbitrary code.
Impact: The stated Pilz products are supplied with the WIBU Software CodeMeter Runtime Software in Ver- sions lower than v6.90, which contain a number of vulnerabilities. One of the vulnerabilities enables further vulnerabilities to be exploited via the network.
Remediation: Use the current Version 7.10 of the Software CodeMeter Runtime, available via the manufacturer's website. https://www.wibu.com/de/support/anwendersoftware/anwendersoftware.html
Only use the Software CodeMeter Runtime as Client. The software tools named under affected products use the Software CodeMeter Runtime as Client in their default setting.
Pilz also recommends using a local firewall to limit unwanted access to the network ser- vices of the device with Software CodeMeter Runtime installed.
Multiple memory corruption vulnerabilities exist in CodeMeter (All versions prior to 7.10) where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities.
9.8 (Critical)
Vendor Fix
Use the current Version 7.10 of the Software CodeMeter Runtime, available via the manufacturer's website. https://www.wibu.com/de/support/anwendersoftware/anwendersoftware.html
Only use the Software CodeMeter Runtime as Client. The software tools named under affected products use the Software CodeMeter Runtime as Client in their default setting.
Pilz also recommends using a local firewall to limit unwanted access to the network ser- vices of the device with Software CodeMeter Runtime installed.
Protocol encryption can be easily broken for CodeMeter (All versions prior to 6.90 are affected, including Version 6.90 or newer only if Software CodeMeter Runtime is running as server) and the server accepts external connections, which may allow an attacker to remotely communicate with the CodeMeter API.
9.8 (Critical)
Vendor Fix
Use the current Version 7.10 of the Software CodeMeter Runtime, available via the manufacturer's website. https://www.wibu.com/de/support/anwendersoftware/anwendersoftware.html
Only use the Software CodeMeter Runtime as Client. The software tools named under affected products use the Software CodeMeter Runtime as Client in their default setting.
Pilz also recommends using a local firewall to limit unwanted access to the network ser- vices of the device with Software CodeMeter Runtime installed.
An attacker could send a specially crafted packet that could have CodeMeter (All versions prior to 7.10) send back packets containing data from the heap.
7.5 (High)
Vendor Fix
Use the current Version 7.10 of the Software CodeMeter Runtime, available via the manufacturer's website. https://www.wibu.com/de/support/anwendersoftware/anwendersoftware.html
Only use the Software CodeMeter Runtime as Client. The software tools named under affected products use the Software CodeMeter Runtime as Client in their default setting.
Pilz also recommends using a local firewall to limit unwanted access to the network ser- vices of the device with Software CodeMeter Runtime installed.
This vulnerability allows an attacker to use the internal WebSockets API for CodeMeter (All versions prior to 7.00 are affected, including Version 7.0 or newer with the affected WebSockets API still enabled. This is especially relevant for systems or devices where a web browser is used to access a web server) via a specifically crafted Java Script payload, which may allow alteration or creation of license files for when combined with CVE-2020-14515.
7.5 (High)
Vendor Fix
Use the current Version 7.10 of the Software CodeMeter Runtime, available via the manufacturer's website. https://www.wibu.com/de/support/anwendersoftware/anwendersoftware.html
Only use the Software CodeMeter Runtime as Client. The software tools named under affected products use the Software CodeMeter Runtime as Client in their default setting.
Pilz also recommends using a local firewall to limit unwanted access to the network ser- vices of the device with Software CodeMeter Runtime installed.
CodeMeter (All versions prior to 6.81) and the software using it may crash while processing a specifically crafted license file due to unverified length fields.
7.5 (High)
Vendor Fix
Use the current Version 7.10 of the Software CodeMeter Runtime, available via the manufacturer's website. https://www.wibu.com/de/support/anwendersoftware/anwendersoftware.html
Only use the Software CodeMeter Runtime as Client. The software tools named under affected products use the Software CodeMeter Runtime as Client in their default setting.
Pilz also recommends using a local firewall to limit unwanted access to the network ser- vices of the device with Software CodeMeter Runtime installed.
Multiple memory corruption vulnerabilities exist in CodeMeter (All versions prior to 7.10) where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities.
7.5 (High)
Vendor Fix
Use the current Version 7.10 of the Software CodeMeter Runtime, available via the manufacturer's website. https://www.wibu.com/de/support/anwendersoftware/anwendersoftware.html
Only use the Software CodeMeter Runtime as Client. The software tools named under affected products use the Software CodeMeter Runtime as Client in their default setting.
Pilz also recommends using a local firewall to limit unwanted access to the network ser- vices of the device with Software CodeMeter Runtime installed.
References
Acknowledgments
Claroty
Sharon Brizinov
Tal Keren
CERT@VDE
CISA
BSI
WIBU-Systems
{
"document": {
"acknowledgments": [
{
"names": [
"Sharon Brizinov",
"Tal Keren"
],
"organization": "Claroty",
"summary": "discovered and reported"
},
{
"organization": "CERT@VDE",
"summary": "coordination"
},
{
"organization": "CISA",
"summary": "coordination"
},
{
"organization": "BSI",
"summary": "coordination"
},
{
"organization": "WIBU-Systems"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "A number of Pilz software tools use the Software CodeMeter Runtime application from WIBU-SYSTEMS AG to manage licences. This application contains a number of vulnerabilities, which enable an attacker to change and falsify a licence file, prevent normal operation of Code- Meter (Denial-of-Service) and potentially execute arbitrary code.",
"title": "Summary"
},
{
"category": "description",
"text": "The stated Pilz products are supplied with the WIBU Software CodeMeter Runtime Software in Ver- sions lower than v6.90, which contain a number of vulnerabilities. One of the vulnerabilities enables further vulnerabilities to be exploited via the network.",
"title": "Impact"
},
{
"category": "description",
"text": "Use the current Version 7.10 of the Software CodeMeter Runtime, available via the manufacturer\u0027s website. https://www.wibu.com/de/support/anwendersoftware/anwendersoftware.html \nOnly use the Software CodeMeter Runtime as Client. The software tools named under affected products use the Software CodeMeter Runtime as Client in their default setting.\nPilz also recommends using a local firewall to limit unwanted access to the network ser- vices of the device with Software CodeMeter Runtime installed.",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "security@pilz.com",
"name": "Pilz GmbH \u0026 Co. KG",
"namespace": "https://www.pilz.com"
},
"references": [
{
"category": "external",
"summary": "CERT@VDE Security Advisories for Pilz GmbH \u0026 Co. KG",
"url": "https://certvde.com/en/advisories/vendor/pilz"
},
{
"category": "self",
"summary": "VDE-2020-033: Pilz: Multiple products prone to WIBU-SYSTEMS CodeMeter vulnerabilities - HTML",
"url": "https://certvde.com/de/advisories/VDE-2020-033/"
},
{
"category": "self",
"summary": "VDE-2020-033: Pilz: Multiple products prone to WIBU-SYSTEMS CodeMeter vulnerabilities - CSAF",
"url": "https://pilz.csaf-tp.certvde.com/.well-known/csaf/white/2020/vde-2020-033.json"
}
],
"title": "Pilz: Multiple products prone to WIBU-SYSTEMS CodeMeter vulnerabilities",
"tracking": {
"aliases": [
"VDE-2020-033"
],
"current_release_date": "2025-05-14T12:28:19.000Z",
"generator": {
"date": "2024-09-30T11:36:52.290Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.12"
}
},
"id": "VDE-2020-033",
"initial_release_date": "2020-09-10T13:18:00.000Z",
"revision_history": [
{
"date": "2020-09-10T13:18:00.000Z",
"number": "1",
"summary": "Initial revision."
},
{
"date": "2024-11-06T11:27:01.000Z",
"number": "2",
"summary": "Fix: correct certvde domain, added self-reference"
},
{
"date": "2025-05-14T12:28:19.000Z",
"number": "3",
"summary": "Fix: version space, removed ia, firmware category, added distribution"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=V3 3.5.12",
"product": {
"name": "Software CODESYS DevSys \u003c=V3 3.5.12",
"product_id": "CSAFPID-51001"
}
}
],
"category": "product_name",
"name": "CODESYS DevSys"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=1.1.0",
"product": {
"name": "Software Live Video Server \u003c=1.1.0",
"product_id": "CSAFPID-51002"
}
}
],
"category": "product_name",
"name": "Live Video Server"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=1.21.1",
"product": {
"name": "Software PAS4000 \u003c=1.21.1",
"product_id": "CSAFPID-51003"
}
}
],
"category": "product_name",
"name": "PAS4000"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=1.1.3",
"product": {
"name": "Software PASloto \u003c=1.1.3",
"product_id": "CSAFPID-51004"
}
}
],
"category": "product_name",
"name": "PASloto"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=1.9.0",
"product": {
"name": "Software PASvisu \u003c=1.9.0",
"product_id": "CSAFPID-51005"
}
}
],
"category": "product_name",
"name": "PASvisu"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=1.3.0",
"product": {
"name": "Software PNOZsigma \u003c=1.3.0",
"product_id": "CSAFPID-51006"
}
}
],
"category": "product_name",
"name": "PNOZsigma"
},
{
"branches": [
{
"category": "product_version_range",
"name": "3.0.0\u003c=3.0.1",
"product": {
"name": "Software SafetyEYE 3.0.0\u003c=3.0.1",
"product_id": "CSAFPID-51007"
}
}
],
"category": "product_name",
"name": "SafetyEYE"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "PILZ"
},
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c6.90",
"product": {
"name": "Software CodeMeter Runtime \u003c6.90",
"product_id": "CSAFPID-51008"
}
},
{
"category": "product_version",
"name": "7.10",
"product": {
"name": "Software CodeMeter Runtime 7.10",
"product_id": "CSAFPID-52001"
}
}
],
"category": "product_name",
"name": "CodeMeter Runtime"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "WIBU"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007"
],
"summary": "Affected products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007"
],
"summary": "Fixed products."
}
],
"relationships": [
{
"category": "external_component_of",
"full_product_name": {
"name": "Software CodeMeter Runtime \u003c6.90 external component of Software CODESYS DevSys \u003c=V3 3.5.12",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-51008",
"relates_to_product_reference": "CSAFPID-51001"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software CodeMeter Runtime \u003c6.90 external component of Software Live Video Server \u003c=1.1.0",
"product_id": "CSAFPID-31002"
},
"product_reference": "CSAFPID-51008",
"relates_to_product_reference": "CSAFPID-51002"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software CodeMeter Runtime \u003c6.90 external component of Software PAS4000 \u003c=1.21.1",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-51008",
"relates_to_product_reference": "CSAFPID-51003"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software CodeMeter Runtime \u003c6.90 external component of Software CodeMeter Runtime \u003c6.90",
"product_id": "CSAFPID-31004"
},
"product_reference": "CSAFPID-51008",
"relates_to_product_reference": "CSAFPID-51008"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software CodeMeter Runtime \u003c6.90 external component of Software PASvisu \u003c=1.9.0",
"product_id": "CSAFPID-31005"
},
"product_reference": "CSAFPID-51008",
"relates_to_product_reference": "CSAFPID-51005"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software CodeMeter Runtime \u003c6.90 external component of Software PNOZsigma \u003c=1.3.0",
"product_id": "CSAFPID-31006"
},
"product_reference": "CSAFPID-51008",
"relates_to_product_reference": "CSAFPID-51006"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software CodeMeter Runtime \u003c6.90 external component of Software SafetyEYE 3.0.0\u003c=3.0.1",
"product_id": "CSAFPID-31007"
},
"product_reference": "CSAFPID-51008",
"relates_to_product_reference": "CSAFPID-51007"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software CodeMeter Runtime 7.10 external component of Software CODESYS DevSys \u003c=V3 3.5.12",
"product_id": "CSAFPID-32001"
},
"product_reference": "CSAFPID-52001",
"relates_to_product_reference": "CSAFPID-51001"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software CodeMeter Runtime 7.10 external component of Software Live Video Server \u003c=1.1.0",
"product_id": "CSAFPID-32002"
},
"product_reference": "CSAFPID-52001",
"relates_to_product_reference": "CSAFPID-51002"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software CodeMeter Runtime 7.10 external component of Software PAS4000 \u003c=1.21.1",
"product_id": "CSAFPID-32003"
},
"product_reference": "CSAFPID-52001",
"relates_to_product_reference": "CSAFPID-51003"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software CodeMeter Runtime 7.10 external component of Software PASloto \u003c=1.1.3",
"product_id": "CSAFPID-32004"
},
"product_reference": "CSAFPID-52001",
"relates_to_product_reference": "CSAFPID-51004"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software CodeMeter Runtime 7.10 external component of Software PASvisu \u003c=1.9.0",
"product_id": "CSAFPID-32005"
},
"product_reference": "CSAFPID-52001",
"relates_to_product_reference": "CSAFPID-51005"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software CodeMeter Runtime 7.10 external component of Software PNOZsigma \u003c=1.3.0",
"product_id": "CSAFPID-32006"
},
"product_reference": "CSAFPID-52001",
"relates_to_product_reference": "CSAFPID-51006"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software CodeMeter Runtime 7.10 external component of Software SafetyEYE 3.0.0\u003c=3.0.1",
"product_id": "CSAFPID-32007"
},
"product_reference": "CSAFPID-52001",
"relates_to_product_reference": "CSAFPID-51007"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-12499",
"cwe": {
"id": "CWE-805",
"name": "Buffer Access with Incorrect Length Value"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Multiple memory corruption vulnerabilities exist in CodeMeter (All versions prior to 7.10) where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Use the current Version 7.10 of the Software CodeMeter Runtime, available via the manufacturer\u0027s website. https://www.wibu.com/de/support/anwendersoftware/anwendersoftware.html \nOnly use the Software CodeMeter Runtime as Client. The software tools named under affected products use the Software CodeMeter Runtime as Client in their default setting.\nPilz also recommends using a local firewall to limit unwanted access to the network ser- vices of the device with Software CodeMeter Runtime installed.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007"
]
}
],
"title": "CVE-2020-12499"
},
{
"cve": "CVE-2020-14517",
"cwe": {
"id": "CWE-326",
"name": "Inadequate Encryption Strength"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Protocol encryption can be easily broken for CodeMeter (All versions prior to 6.90 are affected, including Version 6.90 or newer only if Software CodeMeter Runtime is running as server) and the server accepts external connections, which may allow an attacker to remotely communicate with the CodeMeter API.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Use the current Version 7.10 of the Software CodeMeter Runtime, available via the manufacturer\u0027s website. https://www.wibu.com/de/support/anwendersoftware/anwendersoftware.html \nOnly use the Software CodeMeter Runtime as Client. The software tools named under affected products use the Software CodeMeter Runtime as Client in their default setting.\nPilz also recommends using a local firewall to limit unwanted access to the network ser- vices of the device with Software CodeMeter Runtime installed.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007"
]
}
],
"title": "CVE-2020-14517"
},
{
"cve": "CVE-2020-16233",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An attacker could send a specially crafted packet that could have CodeMeter (All versions prior to 7.10) send back packets containing data from the heap.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Use the current Version 7.10 of the Software CodeMeter Runtime, available via the manufacturer\u0027s website. https://www.wibu.com/de/support/anwendersoftware/anwendersoftware.html \nOnly use the Software CodeMeter Runtime as Client. The software tools named under affected products use the Software CodeMeter Runtime as Client in their default setting.\nPilz also recommends using a local firewall to limit unwanted access to the network ser- vices of the device with Software CodeMeter Runtime installed.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007"
]
}
],
"title": "CVE-2020-16233"
},
{
"cve": "CVE-2020-14519",
"cwe": {
"id": "CWE-346",
"name": "Origin Validation Error"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "This vulnerability allows an attacker to use the internal WebSockets API for CodeMeter (All versions prior to 7.00 are affected, including Version 7.0 or newer with the affected WebSockets API still enabled. This is especially relevant for systems or devices where a web browser is used to access a web server) via a specifically crafted Java Script payload, which may allow alteration or creation of license files for when combined with CVE-2020-14515.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Use the current Version 7.10 of the Software CodeMeter Runtime, available via the manufacturer\u0027s website. https://www.wibu.com/de/support/anwendersoftware/anwendersoftware.html \nOnly use the Software CodeMeter Runtime as Client. The software tools named under affected products use the Software CodeMeter Runtime as Client in their default setting.\nPilz also recommends using a local firewall to limit unwanted access to the network ser- vices of the device with Software CodeMeter Runtime installed.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007"
]
}
],
"title": "CVE-2020-14519"
},
{
"cve": "CVE-2020-14513",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "CodeMeter (All versions prior to 6.81) and the software using it may crash while processing a specifically crafted license file due to unverified length fields.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Use the current Version 7.10 of the Software CodeMeter Runtime, available via the manufacturer\u0027s website. https://www.wibu.com/de/support/anwendersoftware/anwendersoftware.html \nOnly use the Software CodeMeter Runtime as Client. The software tools named under affected products use the Software CodeMeter Runtime as Client in their default setting.\nPilz also recommends using a local firewall to limit unwanted access to the network ser- vices of the device with Software CodeMeter Runtime installed.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007"
]
}
],
"title": "CVE-2020-14513"
},
{
"cve": "CVE-2020-14515",
"cwe": {
"id": "CWE-347",
"name": "Improper Verification of Cryptographic Signature"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Multiple memory corruption vulnerabilities exist in CodeMeter (All versions prior to 7.10) where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Use the current Version 7.10 of the Software CodeMeter Runtime, available via the manufacturer\u0027s website. https://www.wibu.com/de/support/anwendersoftware/anwendersoftware.html \nOnly use the Software CodeMeter Runtime as Client. The software tools named under affected products use the Software CodeMeter Runtime as Client in their default setting.\nPilz also recommends using a local firewall to limit unwanted access to the network ser- vices of the device with Software CodeMeter Runtime installed.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007"
]
}
],
"title": "CVE-2020-14515"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…