CISA warns on security vulnerabilities found in National Instruments, Wibu-Systems, WECON equipment

The Cybersecurity and Infrastructure Security Agency (CISA) has issued three advisories on the presence of security vulnerabilities in equipment used in industrial control systems.

While the warning on the security loopholes found in hardware from National Instruments is new, the agency updated its previous advisories concerning equipment from the other two vendors – Wibu-Systems and WECON Technology. All three vendors have not had any known public exploits specifically targeting these vulnerabilities.

Used in the critical manufacturing sector, National Instruments’ CompactRIO real-time embedded industrial controller has a vulnerability that can allow an attacker to reboot the device remotely. The incorrect permissions are set by default for an API entry-point of a specific service, allowing a non-authenticated user to trigger a function that could reboot the device remotely.

The weakness has affected driver versions before 20.5, according to CISA. CVE-2020-25191 has been assigned to this vulnerability with a CVSS v3 base score of 7.5. The exploitation of this vulnerability could allow an attacker to reboot the device remotely.

The security agency updated its advisory on the security vulnerabilities found in Wibu-Systems’ CodeMeter technology used by software publishers and intelligent device manufacturers. These remotely exploitable weaknesses can be exploited by low skill levels, leading to buffer access with incorrect length value, inadequate encryption strength, origin validation error, improper input validation, improper verification of the cryptographic signature, and improper resource shutdown or release.

CodeMeter is used globally in multiple critical infrastructure sectors, and the vulnerabilities could allow an attacker to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code execution, read heap data, and prevent normal operation of third-party software dependent on the CodeMeter.

Wibu-Systems recommends that users update to the latest version of the CodeMeter Runtime, run CodeMeter only as a ‘client,’ utilize the new REST API instead of the internal WebSockets API, disable the WebSockets API and apply AxProtector.

In its advisory issued in October, Wibu-Systems advised that larger companies and institutional clients actively check the security vulnerabilities of new releases frequently. There is a chance that users will notice. “By notifying them proactively, you show that you are aware of your responsibility for the security of your users’ systems,” Wibu said in the advisory.

CISA updated its advisory on the loopholes found in WECON’s LeviStudioU product that is used in critical manufacturing, energy, water and wastewater systems. The security vulnerabilities identified relate to stack-based buffer overflow, improper restriction of XML external entity reference and heap-based buffer overflow.

The weaknesses have been found in LeviStudioU release build 2019-09-21 and prior, and exploitation of these loopholes could allow an attacker to execute code under the privileges of the application and obtain sensitive information. WECON is aware of the issue and is currently developing a solution.

The weakness on National Instruments’ CompactRIO industrial controller was reported to the Spanish National Institute of Cybersecurity (INCIBE) by researchers of Titanium Industrial Security, while the vulnerabilities found in the Wibu-Systems’ CodeMeter were reported by Claroty’s Sharon Brizinov and Tal Keren to CISA.

Natnael Samson and Mehmet D. INCE @mdisec from T0.Group, Tran Van Khang – khangkito of VinCSS (member of Vingroup) working with Trend Micro’s Zero Day Initiative, and Peter Cheng from Elex Cybersecurity reported the WECON vulnerabilities to CISA.

CISA reminds users to minimize network exposure for all control system devices and/or systems, ensure that they are not accessible from the internet, and perform proper impact analysis and risk assessment before deploying defensive measures. It also advised users to locate control system networks and remote devices behind firewalls, and isolate them from the business network, and adopt secure methods, such as Virtual Private Networks (VPNs) when remote access is required.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.