OT networks warned of vulnerabilities in CodeMeter software
Manufacturers using the Wibu-Systems CodeMeter third-party licence management solution are being urged to remain vigilant and to urgently update the solution to CodeMeter version 7.10.
CodeMeter enables software makers to define licenses for products. It also includes encryption services and anti-tampering, as well as technology that stops reverse engineering. This can be found on many products used in industrial environments.
Previous CodeMeter versions contain several vulnerabilities that, if exploited, could allow attackers to take control of operational technology (OT) networks.
Flagged by security firm Claroty, the CodeMeter vulnerabilities could be exploited through phishing emails or directly through the solution. This could result in software licence modification, and incidents that could cause systems to crash. Attackers could also execute code remotely and move laterally through networks.
A convincing phishing attempt could be as simple as tricking an engineer into visiting the attacker's website, which then infects a machine with malware or exploits. Once that machine is connected to an OT network, attackers could quickly gain access.
Documented vulnerabilities include CVE-2020-14519 which relates to CodeMeter's WebSocket. It could allow attackers to inject modified or forged valid licenses. CVE-2020-14515 could allow attackers to bypass digital signatures and replace them with their own licenses, and CVE-2020-14513 could be exploited to cause devices and systems to crash, leading to a denial of service situation.
“The vulnerabilities described allow an attacker that is either performing a phishing campaign, or one that already has network access to engineering stations and HMIs in critical environments to completely take over those hosts running ICS software from many of the leading vendors," Claroty states.
"This means the attacker may impact and modify physical processes (as was done in the Triton attacks using Industroyer) or install ransomware, as was alleged in the recent incident affecting Japanese automaker Honda, and effectively take down the ICS environment."
Wibu Systems has included patches in CodeMeter version 7.10. Organisations should update to this version as soon as possible.
Further, Claroty states that many of the affected vendors have been notified and have added, or are in the process of, adding the fixes to their respective installers.
Organisations should also Block TCP port 22350 (CodeMeter network protocol) on their border firewall to block the ability to exploit the vulnerability.
Further, organisations should contact their vendors to find out if they support manual CodeMeter software upgrades that enable the upgrade of third-party components rather than the entire stack.
Claroty has also developed an online tool to detect any CodeMeter products running on systems. This tool is available from Claroty's website.