Security problem with WIBU CodeMeter with the highest security level CVSS 10.0 (corrected from V3.22)
Corrected from:
PLC Designer V3.22
Response of the new version:
The weak points in the WIBU Codemeter were fixed with PLC Designer Version V3.22.
What happens?
PLC Designer has been installed and uses the WIBU CodeMeter Runtime for licensing. The manufacturer WIBU-SYSTEMS AG recently announced six vulnerabilities in the WIBU CodeMeter Runtime product. The successful exploitation of these vulnerabilities could allow an attacker to
to access heap data,
cause a Denial of Service condition,
to achieve remote code execution,
modify and forge a license file or
to disturb the normal operation of the PLCDesigner.
When does the behaviour occur?
By exploiting vulnerabilities in the WIBU CodeMeter software by an external attacker.
Which products are affected?
PLC Designer version 3.21 and smaller.
Short-term measures:
As part of a security strategy, Lenze recommends the following general measures to reduce the risk of a successful attack:
Use controllers and devices only in a protected environment to minimize network load and ensure that they are not accessible from the outside.
Use firewalls to protect and separate the control system network from other networks.
Use Virtual Private Networks (VPN) tunnels when remote access is required.
Enable and apply user management and password functions.
Restrict access to both the development and control systems by physical means, operating system functions, etc.
Protect both the development and control systems by using up-to-date virus detection solutions.
