Operational technology security company Claroty recently released a new report identifying six critical vulnerabilities in Wibu-Systems’ CodeMeter product. These vulnerabilities were confirmed in an advisory issued by the Industrial Control System Computer Emergency Response Team on September 8.
“Successful exploitation of these vulnerabilities could allow an attacker to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code execution, read heap data, and prevent normal operation of third-party software dependent on the CodeMeter,” the ICS-CERT advisory said.
ICS-CERT assigned a CVSS score of 10.0, the highest criticality rating available, to the six vulnerabilities collectively. The Common Vulnerability Scoring System assigns severity scores to vulnerabilities in an effort to help responders prioritize responses and resources according to threat.
CodeMeter is a license management and anti-piracy solution used to protect industrial control systems in the pharmaceutical, automotive, and manufacturing industries. The solution’s newly identified vulnerabilities can be exploited in denial-of-service attacks, or to achieve remote code execution.
“These flaws can be exploited via phishing campaigns or directly by attackers who would be able to fingerprint user environments in order to modify existing software licenses or inject malicious ones, causing devices and processes to crash,” Claroty said in a summary of the report’s findings. “Serious encryption implementation issues, also discovered by Claroty, can be exploited to allow attackers to execute code remotely, and move laterally on OT networks.”
Claroty researchers identified significant weaknesses in CodeMeter’s encryption schemes and licensing scheme. They also uncovered issues in the encryption protecting the proprietary CodeMeter Protocol.
Claroty says that Wibu-Systems has made patches available for all of the flaws in version 7.10 of it’s CodeMeter solution. This version has been available since August 11 and many of the affected vendors have been notified. These vendors have added or are currently adding the fixes to their respective installers.
“There’s much more complexity involved than a single vendor patching software and pushing it out to customers; communication must happen across the entire OT and ICS ecosystems, which impacts response times and likely availability once vulnerable devices are addressed,” Claroty said. “Claroty encourages users to access its online utility in order to determine whether CodeMeter is running in their environment.”