CODEMETER CODE
Vulnerable users would include those in common operational technology (OT) scenarios, above, such as where a user running an engineering station on their laptop in order to manage, compile, and transfer code to a human-machine interface (HMI) or programmable logic controllers (PLCs), and would interact both with IT and OT networks. Researchers were also able to leverage a separate vulnerability to bypass the digital signatures protecting CodeMeter in order to alter or create valid, forged licenses, and inject them onto any machine running CodeMeter that landed on the attacker’s site.Ī view of the CodeMeter WebSocket vulnerability over the Purdue Model.
CODEMETER LICENSE
Claroty researchers were also able to find vulnerabilities in the CodeMeter WebSocket API that enables management of licenses via JavaScript an attacker would have to phish or socially engineer a victim to lure them to a site they control in order to use JavaScript to inject a malicious license of their own onto victim’s machine. The worst of the bugs were found in the product’s encryption implementation that Claroty researchers leveraged to attack the CodeMeter communication protocol and internal API in order to remotely communicate with, and send commands to, any machine running CodeMeter. OT Networks at Risk for Complete Takeover The Industrial Control System Computer Emergency Response Team (ICS-CERT) today also issued an advisory about these vulnerabilities, and collectively assigned a CVSS score of 10.0, the highest criticality rating available. Technical details on the vulnerabilities as well as details about how Claroty uncovered these flaws are available in a paper released today, titled “ License to Kill: Leveraging License Management to Attack ICS Networks.” 11 many of the affected vendors have been notified and have added, or are in the process of, adding the fixes to their respective installers. Wibu-Systems has made patches available for all of the flaws in version 7.10a of CodeMeter, which has been available since Aug. Claroty has built an online utility that will help users determine whether they are running a vulnerable version of CodeMeter.
Customers of these and other affected companies who operate in numerous industries, including medical device makers, automakers, manufacturers, process designers, and many others, could be unaware this vulnerable component is running in their environment. Other vendors are expected to confirm as well Claroty has published a list of affected vendors that will be updated periodically.
CODEMETER SOFTWARE
Serious encryption implementation issues, also discovered by Claroty, can be exploited to allow attackers to execute code remotely, and move laterally on OT networks.ĬodeMeter is widely used by many of the leading ICS software vendors, including Rockwell Automation and Siemens, both of whom confirmed in advisories they are affected by these flaws.
These flaws can be exploited via phishing campaigns or directly by attackers who would be able to fingerprint user environments in order to modify existing software licenses or inject malicious ones, causing devices and processes to crash.
Six critical vulnerabilities have been uncovered by Claroty researchers in Wibu-Systems’ CodeMeter third-party license management component that could expose users in numerous industries to takeover of their operational technology (OT) networks.