Claroty uncovers critical vulnerabilities in Wibu-Systems’ CodeMeter product

Operational technology security company Claroty recently released a new report identifying six critical vulnerabilities in Wibu-Systems’ CodeMeter product. These vulnerabilities were confirmed in an advisory issued by the Industrial Control System Computer Emergency Response Team on September 8.

“Successful exploitation of these vulnerabilities could allow an attacker to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code execution, read heap data, and prevent normal operation of third-party software dependent on the CodeMeter,” the ICS-CERT advisory said.

ICS-CERT assigned a CVSS score of 10.0, the highest criticality rating available, to the six vulnerabilities collectively. The Common Vulnerability Scoring System assigns severity scores to vulnerabilities in an effort to help responders prioritize responses and resources according to threat.

CodeMeter is a license management and anti-piracy solution used to protect industrial control systems in the pharmaceutical, automotive, and manufacturing industries. The solution’s newly identified vulnerabilities can be exploited in denial-of-service attacks, or to achieve remote code execution.

“These flaws can be exploited via phishing campaigns or directly by attackers who would be able to fingerprint user environments in order to modify existing software licenses or inject malicious ones, causing devices and processes to crash,” Claroty said in a summary of the report’s findings. “Serious encryption implementation issues, also discovered by Claroty, can be exploited to allow attackers to execute code remotely, and move laterally on OT networks.”

Claroty researchers identified significant weaknesses in CodeMeter’s encryption schemes and  licensing scheme. They also uncovered issues in the encryption protecting the proprietary CodeMeter Protocol.

“The worst of the bugs were found in the product’s encryption implementation that Claroty researchers leveraged to attack the CodeMeter communication protocol and internal API in order to remotely communicate with, and send commands to, any machine running CodeMeter,” Claroty said in the summary. “Claroty researchers were also able to find vulnerabilities in the CodeMeter WebSocket API that enables management of licenses via JavaScript; an attacker would have to phish or socially engineer a victim to lure them to a site they control in order to use JavaScript to inject a malicious license of their own onto victim’s machine. Researchers were also able to leverage a separate vulnerability to bypass the digital signatures protecting CodeMeter in order to alter or create valid, forged licenses, and inject them onto any machine running CodeMeter that landed on the attacker’s site.”

Claroty says that Wibu-Systems has made patches available for all of the flaws in version 7.10 of it’s CodeMeter solution. This version has been available since August 11 and many of the affected vendors have been notified. These vendors have added or are currently adding the fixes to their respective installers.

“There’s much more complexity involved than a single vendor patching software and pushing it out to customers; communication must happen across the entire OT and ICS ecosystems, which impacts response times and likely availability once vulnerable devices are addressed,” Claroty said. “Claroty encourages users to access its online utility in order to determine whether CodeMeter is running in their environment.”

Rebecca Addison

Industrial Cyber Editor. Rebecca Addison is a former newspaper editor with a decade of experience in the media industry. During her career, she has interviewed world leaders and corporate CEOs, and covered topics ranging from blockchain and CBD to healthcare and education.