ABB Wibu Codemeter impact on Automation Builder, Drive Application Builder and Virtual Drive found vulnerabilities in this Monday.
Refers to the same report the affected products are
Automation Builder (AB) versions 184.108.40.2062 and earlier
Drive Application Builder (DAB) versions 220.127.116.111 and earlier
Virtual Drive version 18.104.22.168 and earlier
ABB is aware of public reports of a vulnerability in the product versions listed above. An attacker whosuccessfully exploited these vulnerabilities could causeWibu CodeMeter License Server to crash or incase of CVE-2021-20093 read data from heap memory.
The vulnerabilities can only be exploited when changing the default settings of Wibu CodeMeter, mainlywhen using Wibu CodeMeter to manage network access to licenses on a license server.
However, a po-tential attacker must already have local access to the system.The vulnerabilities have been closed with Wibu CodeMeter V7.21a. Wibu CodeMeter V7.21a is available fordownload from the Wibu website.
“We recommend all users to immediately update to Wibu CodeMeter V7.21a or later (Windows 32/64-Bitversion). Latest Wibu CodeMeter versions are available for public download from the Wibu website(https://www.wibu.com/support/user/user-software.html).If for any reasons the recommended update cannot be made and if Wibu CodeMeter is not used to man-age network access to licenses on a license server, ABB recommends to check that the default settingsare kept, especially:Run CodeMeter as client only and use localhost as binding for the CodeMeter communication.With binding to localhost an attack is no longer possible via remote network connection. Thenetwork server is disabled by default.The CmWAN server is disabled by default. Please check if CmWAN is enabled and disable the fea-ture.”, advice ABB security researchers.
An attacker could send a specially crafted TCP/IP packet that causes the CodeMeter Runtime networkserver (default port 22350) to return packets containing data from the heap. When generating aresponse, the server copies data from a heap-based buffer to an output buffer to be sent in theresponse. The amount to copy is controlled by the client. An unauthenticated remote attacker canexploit this issue to disclose heap memory contents or crash the CodeMeter Runtime
An attacker could send a specially crafted HTTP(S) request to the CodeMeter Runtime CmWAN serverthat causes CodeMeter Runtime Server (i.e., CodeMeter.exe) to crash. The recommended/standardsetup is to run a CodeMeter Runtime CmWAN server only behind a reverse proxy with TLS and userauthentication. If this is the case and the attacker is not on the same network as the CmWAN server, theattack is only possible for authenticated users. If the attacker is on the same network as the CmWANserver, an unauthenticated user can perform the attack. This is only the case if the attacker can accessthe CmWAN port directly (default port 22351)
To minimize the risk of exploitation of the CodeMeter vulnerabilities users should take these defensive measures:
- Locate the control system network behind a firewall and separate them from other networks.
- In environments where CodeMeter network license server is not in use, configure firewall to blockaccess to port TCP 22350
- Block anomalous IP traffic by utilizing a combination of firewalls and intrusion prevention sys-tems
- Disable or block IP tunneling, both IPv6-in-IPv4 or IP-in-IP tunneling.
- Avoid exposure of the devices to the Internet and use secure methods like VPN when accessing them remotely.