SSA-455843
Vulnerability from csaf_siemens - Published: 2020-09-08 00:00 - Updated: 2022-02-17 00:00Summary
SSA-455843: WIBU Systems CodeMeter Runtime Vulnerabilities in Siemens Products
Notes
Summary
CISA and WIBU Systems disclosed six vulnerabilities in different versions of CodeMeter Runtime, a product provided by WIBU Systems and used in several Siemens products for license management.
The vulnerabilities are described in the section "Vulnerability Classification" below and got assigned the CVE IDs CVE-2020-14509, CVE-2020-14513, CVE-2020-14515, CVE-2020-14517, CVE-2020-14519, and CVE-2020-16233. Successful exploitation of these vulnerabilities could allow an attacker to alter and forge a license file, cause a denial-of-service condition, attain remote code execution, or prevent normal operation of the Siemens software that depends on CodeMeter Runtime.
Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where updates are not, or not yet available.
General Recommendations
As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity
Additional Resources
For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Terms of Use
Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.
{
"document": {
"acknowledgments": [
{
"organization": "Cybersecurity and Infrastructure Security Agency (CISA)",
"summary": "coordination efforts"
},
{
"organization": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik (BSI)",
"summary": "coordination efforts"
},
{
"organization": "WIBU Systems CERT",
"summary": "coordination efforts"
}
],
"category": "Siemens Security Advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited.",
"tlp": {
"label": "WHITE"
}
},
"notes": [
{
"category": "summary",
"text": "CISA and WIBU Systems disclosed six vulnerabilities in different versions of CodeMeter Runtime, a product provided by WIBU Systems and used in several Siemens products for license management.\n\nThe vulnerabilities are described in the section \"Vulnerability Classification\" below and got assigned the CVE IDs CVE-2020-14509, CVE-2020-14513, CVE-2020-14515, CVE-2020-14517, CVE-2020-14519, and CVE-2020-16233. Successful exploitation of these vulnerabilities could allow an attacker to alter and forge a license file, cause a denial-of-service condition, attain remote code execution, or prevent normal operation of the Siemens software that depends on CodeMeter Runtime.\n\nSiemens has released updates for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where updates are not, or not yet available.",
"title": "Summary"
},
{
"category": "general",
"text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
"title": "General Recommendations"
},
{
"category": "general",
"text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "Siemens Security Advisories are subject to the terms and conditions contained in Siemens\u0027 underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter \"License Terms\"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens\u0027 Global Website (https://www.siemens.com/terms_of_use, hereinafter \"Terms of Use\"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "productcert@siemens.com",
"name": "Siemens ProductCERT",
"namespace": "https://www.siemens.com"
},
"references": [
{
"category": "self",
"summary": "SSA-455843: WIBU Systems CodeMeter Runtime Vulnerabilities in Siemens Products - PDF Version",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-455843.pdf"
},
{
"category": "self",
"summary": "SSA-455843: WIBU Systems CodeMeter Runtime Vulnerabilities in Siemens Products - TXT Version",
"url": "https://cert-portal.siemens.com/productcert/txt/ssa-455843.txt"
},
{
"category": "self",
"summary": "SSA-455843: WIBU Systems CodeMeter Runtime Vulnerabilities in Siemens Products - CSAF Version",
"url": "https://cert-portal.siemens.com/productcert/csaf/ssa-455843.json"
}
],
"title": "SSA-455843: WIBU Systems CodeMeter Runtime Vulnerabilities in Siemens Products",
"tracking": {
"current_release_date": "2022-02-17T00:00:00Z",
"generator": {
"engine": {
"name": "Siemens ProductCERT CSAF Generator",
"version": "1"
}
},
"id": "SSA-455843",
"initial_release_date": "2020-09-08T00:00:00Z",
"revision_history": [
{
"date": "2020-09-08T00:00:00Z",
"legacy_version": "1.0",
"number": "1",
"summary": "Publication Date"
},
{
"date": "2020-10-13T00:00:00Z",
"legacy_version": "1.1",
"number": "2",
"summary": "Added PSS CAPE Protection Simulation Platform; added solution by software update for SIMATIC WinCC OA; added solution by installation of latest CodeMeter Runtime version for SIMIT, SINEC INS, and PSS CAPE"
},
{
"date": "2020-11-10T00:00:00Z",
"legacy_version": "1.2",
"number": "3",
"summary": "Added SICAM 230"
},
{
"date": "2021-01-12T00:00:00Z",
"legacy_version": "1.3",
"number": "4",
"summary": "Updated solutions for PCS neo and SPPA T3000 (with fixes for the open CVEs)"
},
{
"date": "2021-02-09T00:00:00Z",
"legacy_version": "1.4",
"number": "5",
"summary": "Updated solution for SPPA S3000 (with fixes for the open CVEs)"
},
{
"date": "2021-03-09T00:00:00Z",
"legacy_version": "1.5",
"number": "6",
"summary": "Updated solution for SINEC INS and SINEMA Remote Connect"
},
{
"date": "2021-04-13T00:00:00Z",
"legacy_version": "1.6",
"number": "7",
"summary": "Updated solution for PSS CAPE and SIMIT"
},
{
"date": "2022-02-17T00:00:00Z",
"legacy_version": "1.7",
"number": "8",
"summary": "Moved products from Siemens Energy to separate advisory SSA-455844"
}
],
"status": "final",
"version": "8"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "CAPE 14 installations installed from material dated earlier than 2020-09-15",
"product": {
"name": "PSS CAPE Protection Simulation Platform",
"product_id": "1"
}
}
],
"category": "product_name",
"name": "PSS CAPE Protection Simulation Platform"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "SICAM 230",
"product_id": "2"
}
}
],
"category": "product_name",
"name": "SICAM 230"
},
{
"branches": [
{
"category": "product_version_range",
"name": "Version 2019 SP1",
"product": {
"name": "SIMATIC Information Server 2019",
"product_id": "3"
}
}
],
"category": "product_name",
"name": "SIMATIC Information Server 2019"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c V3.0 SP1 Update 1",
"product": {
"name": "SIMATIC PCS neo",
"product_id": "4"
}
}
],
"category": "product_name",
"name": "SIMATIC PCS neo"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c SP1 Update 1",
"product": {
"name": "SIMATIC Process Historian 2019 (incl. Process Historian OPC UA Server)",
"product_id": "5"
}
}
],
"category": "product_name",
"name": "SIMATIC Process Historian 2019 (incl. Process Historian OPC UA Server)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c V3.17 P007",
"product": {
"name": "SIMATIC WinCC OA",
"product_id": "6"
}
}
],
"category": "product_name",
"name": "SIMATIC WinCC OA"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e= V10.0 and \u003c V10.2 Upd1",
"product": {
"name": "SIMIT Simulation Platform",
"product_id": "7"
}
}
],
"category": "product_name",
"name": "SIMIT Simulation Platform"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c V1.0 SP1",
"product": {
"name": "SINEC INS",
"product_id": "8"
}
}
],
"category": "product_name",
"name": "SINEC INS"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c V3.0",
"product": {
"name": "SINEMA Remote Connect",
"product_id": "9"
}
}
],
"category": "product_name",
"name": "SINEMA Remote Connect"
}
],
"category": "vendor",
"name": "Siemens"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-14509",
"cwe": {
"id": "CWE-805",
"name": "Buffer Access with Incorrect Length Value"
},
"notes": [
{
"category": "summary",
"text": "Multiple memory corruption vulnerabilities exist where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
},
"references": [
{
"summary": "CVE-2020-14509 - SIMATIC Information Server 2019",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"summary": "CVE-2020-14509 - SIMATIC PCS neo",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"summary": "CVE-2020-14509 - SIMATIC Process Historian 2019 (incl. Process Historian OPC UA Server)",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"summary": "CVE-2020-14509 - SIMATIC WinCC OA",
"url": "https://www.winccoa.com/downloads/category/versions-patches.html"
},
{
"summary": "CVE-2020-14509 - SIMIT Simulation Platform",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109794248/"
},
{
"summary": "CVE-2020-14509 - SINEC INS",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109793469/"
},
{
"summary": "CVE-2020-14509 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-14509.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "CAPE 14 installations installed from material dated 2020-09-15 or later are not affected, as they contain a fixed version of CodeMeter Runtime",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "If CAPE 14 was initially installed using earlier material, see the recommendations from section Workarounds and Mitigations",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Update to SICAM 230 V8.00 or later version. Install WIBU Systems CodeMeter Runtime V7.10a to fix all issues",
"product_ids": [
"2"
]
},
{
"category": "mitigation",
"details": "See also the recommendations from section Workarounds and Mitigations",
"product_ids": [
"2"
]
},
{
"category": "no_fix_planned",
"details": "Currently no remediation is planned",
"product_ids": [
"2"
]
},
{
"category": "vendor_fix",
"details": "Update to Information Server 2019 SP1 Update 1 contained in PCS neo V3.0 SP1 Update 1",
"product_ids": [
"3"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"category": "vendor_fix",
"details": "Update to V3.0 SP1 Update 1 or later version",
"product_ids": [
"4"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"category": "vendor_fix",
"details": "Update to Process Historian 2019 SP1 Update 1 contained in PCS neo V3.0 SP1 Update 1",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"category": "vendor_fix",
"details": "Update to V3.17 P007 or later version",
"product_ids": [
"6"
],
"url": "https://www.winccoa.com/downloads/category/versions-patches.html"
},
{
"category": "vendor_fix",
"details": "Update to V10.2 Upd1 or later version",
"product_ids": [
"7"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109794248/"
},
{
"category": "mitigation",
"details": "For earlier versions see the recommendations from section Workarounds and Mitigations",
"product_ids": [
"7",
"8"
]
},
{
"category": "vendor_fix",
"details": "Update to V1.0 SP1 or later version",
"product_ids": [
"8"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109793469/"
},
{
"category": "mitigation",
"details": "All products affected by CVE-2020-14513 or CVE-2020-14515: Do not import license files from untrusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
},
{
"category": "mitigation",
"details": "SIMATIC WinCC OA V3.17:\n\nUpdate to V3.17 P007 or later version to fix all issues. For patch levels \u003c P007, the following measures apply:\n\nCVE-2020-14509, CVE-2020-14517, and CVE-2020-16233 are already mitigated by default, as no external connections to port 22350/tcp are allowed. Additionally, an update to SIMATIC WinCC OA version V3.17 P006 partially fixes CVE-2020-14517.\n\nCVE-2020-14519: Disable the WebSockets API of CodeMeter Runtime.",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
},
{
"category": "mitigation",
"details": "SIMIT Simulation Platform (Versions \u003e= V10.0 and \u003c V10.2 Upd1):\n\nTo fix all issues for existing installations, update CodeMeter Runtime to V7.10a: Download from the WIBU Systems User Software website and install on the SIMIT system.",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
},
{
"category": "mitigation",
"details": "SINEC INS (Versions \u003c V1.0 SP1 only):\n\nUpdate CodeMeter Runtime to V7.10a: Download the package \"CodeMeter User Runtime for Linux, version 7.10a, Driver-only\" from the WIBU Systems User Software website. Install it on the system which runs SINEC INS by executing the following command:\n\nsudo dpkg --force-depends --force-confnew -i codemeter-lite_7.10.4196.501_amd64.deb",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
},
{
"category": "mitigation",
"details": "PSS CAPE Protection Simulation Platform (if initally installed from material dated earlier than 2020-09-15):\n\nUpdate CodeMeter Runtime to V7.10a: Download the package from https://www.psscape.com/codemeter and install it the same way as previous versions documented in the PSS CAPE 14 Installation Manual.\n\nContact PSS\u00aeCAPE Support at psscape.support.energy@siemens.com if you need assistance with patching affected systems.",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
},
{
"category": "mitigation",
"details": "SICAM 230\n\nTo fix all issues for existing installations, update SICAM 230 to V8.00 or later version. Then update CodeMeter Runtime to V7.10a: Download the package from WIBU Systems User Software website. Install it on SICAM 230 systems according to the procedure documented in chapter 9 of COPA-DATA Security Vulnerability Announcement 2020_1.",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
}
],
"title": "CVE-2020-14509"
},
{
"cve": "CVE-2020-14513",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "CodeMeter and the software using it may crash while processing a specifically crafted license file due to unverified length fields.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"4",
"5",
"7",
"9"
]
},
"references": [
{
"summary": "CVE-2020-14513 - SIMATIC PCS neo",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"summary": "CVE-2020-14513 - SIMATIC Process Historian 2019 (incl. Process Historian OPC UA Server)",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"summary": "CVE-2020-14513 - SIMIT Simulation Platform",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109794248/"
},
{
"summary": "CVE-2020-14513 - SINEMA Remote Connect",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109793790/"
},
{
"summary": "CVE-2020-14513 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-14513.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "CAPE 14 installations installed from material dated 2020-09-15 or later are not affected, as they contain a fixed version of CodeMeter Runtime",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "If CAPE 14 was initially installed using earlier material, see the recommendations from section Workarounds and Mitigations",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Update to SICAM 230 V8.00 or later version. Install WIBU Systems CodeMeter Runtime V7.10a to fix all issues",
"product_ids": [
"2"
]
},
{
"category": "mitigation",
"details": "See also the recommendations from section Workarounds and Mitigations",
"product_ids": [
"2"
]
},
{
"category": "no_fix_planned",
"details": "Currently no remediation is planned",
"product_ids": [
"2"
]
},
{
"category": "vendor_fix",
"details": "Update to V3.0 SP1 Update 1 or later version",
"product_ids": [
"4"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"category": "vendor_fix",
"details": "Update to Process Historian 2019 SP1 Update 1 contained in PCS neo V3.0 SP1 Update 1",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"category": "vendor_fix",
"details": "Update to V10.2 Upd1 or later version",
"product_ids": [
"7"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109794248/"
},
{
"category": "mitigation",
"details": "For earlier versions see the recommendations from section Workarounds and Mitigations",
"product_ids": [
"7",
"9"
]
},
{
"category": "vendor_fix",
"details": "Update to V3.0 or later version",
"product_ids": [
"9"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109793790/"
},
{
"category": "mitigation",
"details": "All products affected by CVE-2020-14513 or CVE-2020-14515: Do not import license files from untrusted sources.",
"product_ids": [
"1",
"2",
"4",
"5",
"7",
"9"
]
},
{
"category": "mitigation",
"details": "SIMATIC WinCC OA V3.17:\n\nUpdate to V3.17 P007 or later version to fix all issues. For patch levels \u003c P007, the following measures apply:\n\nCVE-2020-14509, CVE-2020-14517, and CVE-2020-16233 are already mitigated by default, as no external connections to port 22350/tcp are allowed. Additionally, an update to SIMATIC WinCC OA version V3.17 P006 partially fixes CVE-2020-14517.\n\nCVE-2020-14519: Disable the WebSockets API of CodeMeter Runtime.",
"product_ids": [
"1",
"2",
"4",
"5",
"7",
"9"
]
},
{
"category": "mitigation",
"details": "SIMIT Simulation Platform (Versions \u003e= V10.0 and \u003c V10.2 Upd1):\n\nTo fix all issues for existing installations, update CodeMeter Runtime to V7.10a: Download from the WIBU Systems User Software website and install on the SIMIT system.",
"product_ids": [
"1",
"2",
"4",
"5",
"7",
"9"
]
},
{
"category": "mitigation",
"details": "SINEC INS (Versions \u003c V1.0 SP1 only):\n\nUpdate CodeMeter Runtime to V7.10a: Download the package \"CodeMeter User Runtime for Linux, version 7.10a, Driver-only\" from the WIBU Systems User Software website. Install it on the system which runs SINEC INS by executing the following command:\n\nsudo dpkg --force-depends --force-confnew -i codemeter-lite_7.10.4196.501_amd64.deb",
"product_ids": [
"1",
"2",
"4",
"5",
"7",
"9"
]
},
{
"category": "mitigation",
"details": "PSS CAPE Protection Simulation Platform (if initally installed from material dated earlier than 2020-09-15):\n\nUpdate CodeMeter Runtime to V7.10a: Download the package from https://www.psscape.com/codemeter and install it the same way as previous versions documented in the PSS CAPE 14 Installation Manual.\n\nContact PSS\u00aeCAPE Support at psscape.support.energy@siemens.com if you need assistance with patching affected systems.",
"product_ids": [
"1",
"2",
"4",
"5",
"7",
"9"
]
},
{
"category": "mitigation",
"details": "SICAM 230\n\nTo fix all issues for existing installations, update SICAM 230 to V8.00 or later version. Then update CodeMeter Runtime to V7.10a: Download the package from WIBU Systems User Software website. Install it on SICAM 230 systems according to the procedure documented in chapter 9 of COPA-DATA Security Vulnerability Announcement 2020_1.",
"product_ids": [
"1",
"2",
"4",
"5",
"7",
"9"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1",
"2",
"4",
"5",
"7",
"9"
]
}
],
"title": "CVE-2020-14513"
},
{
"cve": "CVE-2020-14515",
"cwe": {
"id": "CWE-347",
"name": "Improper Verification of Cryptographic Signature"
},
"notes": [
{
"category": "summary",
"text": "There is an issue in the license-file signature checking mechanism, which could allow attackers to build arbitrary license files, including forging a valid license file as if it were a valid license file of an existing vendor. Only CmActLicense update files with CmActLicense Firm Code are affected.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"4",
"5",
"7",
"9"
]
},
"references": [
{
"summary": "CVE-2020-14515 - SIMATIC PCS neo",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"summary": "CVE-2020-14515 - SIMATIC Process Historian 2019 (incl. Process Historian OPC UA Server)",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"summary": "CVE-2020-14515 - SIMIT Simulation Platform",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109794248/"
},
{
"summary": "CVE-2020-14515 - SINEMA Remote Connect",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109793790/"
},
{
"summary": "CVE-2020-14515 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-14515.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "CAPE 14 installations installed from material dated 2020-09-15 or later are not affected, as they contain a fixed version of CodeMeter Runtime",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "If CAPE 14 was initially installed using earlier material, see the recommendations from section Workarounds and Mitigations",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Update to SICAM 230 V8.00 or later version. Install WIBU Systems CodeMeter Runtime V7.10a to fix all issues",
"product_ids": [
"2"
]
},
{
"category": "mitigation",
"details": "See also the recommendations from section Workarounds and Mitigations",
"product_ids": [
"2"
]
},
{
"category": "no_fix_planned",
"details": "Currently no remediation is planned",
"product_ids": [
"2"
]
},
{
"category": "vendor_fix",
"details": "Update to V3.0 SP1 Update 1 or later version",
"product_ids": [
"4"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"category": "vendor_fix",
"details": "Update to Process Historian 2019 SP1 Update 1 contained in PCS neo V3.0 SP1 Update 1",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"category": "vendor_fix",
"details": "Update to V10.2 Upd1 or later version",
"product_ids": [
"7"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109794248/"
},
{
"category": "mitigation",
"details": "For earlier versions see the recommendations from section Workarounds and Mitigations",
"product_ids": [
"7",
"9"
]
},
{
"category": "vendor_fix",
"details": "Update to V3.0 or later version",
"product_ids": [
"9"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109793790/"
},
{
"category": "mitigation",
"details": "All products affected by CVE-2020-14513 or CVE-2020-14515: Do not import license files from untrusted sources.",
"product_ids": [
"1",
"2",
"4",
"5",
"7",
"9"
]
},
{
"category": "mitigation",
"details": "SIMATIC WinCC OA V3.17:\n\nUpdate to V3.17 P007 or later version to fix all issues. For patch levels \u003c P007, the following measures apply:\n\nCVE-2020-14509, CVE-2020-14517, and CVE-2020-16233 are already mitigated by default, as no external connections to port 22350/tcp are allowed. Additionally, an update to SIMATIC WinCC OA version V3.17 P006 partially fixes CVE-2020-14517.\n\nCVE-2020-14519: Disable the WebSockets API of CodeMeter Runtime.",
"product_ids": [
"1",
"2",
"4",
"5",
"7",
"9"
]
},
{
"category": "mitigation",
"details": "SIMIT Simulation Platform (Versions \u003e= V10.0 and \u003c V10.2 Upd1):\n\nTo fix all issues for existing installations, update CodeMeter Runtime to V7.10a: Download from the WIBU Systems User Software website and install on the SIMIT system.",
"product_ids": [
"1",
"2",
"4",
"5",
"7",
"9"
]
},
{
"category": "mitigation",
"details": "SINEC INS (Versions \u003c V1.0 SP1 only):\n\nUpdate CodeMeter Runtime to V7.10a: Download the package \"CodeMeter User Runtime for Linux, version 7.10a, Driver-only\" from the WIBU Systems User Software website. Install it on the system which runs SINEC INS by executing the following command:\n\nsudo dpkg --force-depends --force-confnew -i codemeter-lite_7.10.4196.501_amd64.deb",
"product_ids": [
"1",
"2",
"4",
"5",
"7",
"9"
]
},
{
"category": "mitigation",
"details": "PSS CAPE Protection Simulation Platform (if initally installed from material dated earlier than 2020-09-15):\n\nUpdate CodeMeter Runtime to V7.10a: Download the package from https://www.psscape.com/codemeter and install it the same way as previous versions documented in the PSS CAPE 14 Installation Manual.\n\nContact PSS\u00aeCAPE Support at psscape.support.energy@siemens.com if you need assistance with patching affected systems.",
"product_ids": [
"1",
"2",
"4",
"5",
"7",
"9"
]
},
{
"category": "mitigation",
"details": "SICAM 230\n\nTo fix all issues for existing installations, update SICAM 230 to V8.00 or later version. Then update CodeMeter Runtime to V7.10a: Download the package from WIBU Systems User Software website. Install it on SICAM 230 systems according to the procedure documented in chapter 9 of COPA-DATA Security Vulnerability Announcement 2020_1.",
"product_ids": [
"1",
"2",
"4",
"5",
"7",
"9"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1",
"2",
"4",
"5",
"7",
"9"
]
}
],
"title": "CVE-2020-14515"
},
{
"cve": "CVE-2020-14517",
"cwe": {
"id": "CWE-326",
"name": "Inadequate Encryption Strength"
},
"notes": [
{
"category": "summary",
"text": "Protocol encryption can be easily broken and the server accepts external connections, which may allow an attacker to remotely communicate with the CodeMeter API.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
},
"references": [
{
"summary": "CVE-2020-14517 - SIMATIC Information Server 2019",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"summary": "CVE-2020-14517 - SIMATIC PCS neo",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"summary": "CVE-2020-14517 - SIMATIC Process Historian 2019 (incl. Process Historian OPC UA Server)",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"summary": "CVE-2020-14517 - SIMATIC WinCC OA",
"url": "https://www.winccoa.com/downloads/category/versions-patches.html"
},
{
"summary": "CVE-2020-14517 - SIMIT Simulation Platform",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109794248/"
},
{
"summary": "CVE-2020-14517 - SINEC INS",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109793469/"
},
{
"summary": "CVE-2020-14517 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-14517.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "CAPE 14 installations installed from material dated 2020-09-15 or later are not affected, as they contain a fixed version of CodeMeter Runtime",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "If CAPE 14 was initially installed using earlier material, see the recommendations from section Workarounds and Mitigations",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Update to SICAM 230 V8.00 or later version. Install WIBU Systems CodeMeter Runtime V7.10a to fix all issues",
"product_ids": [
"2"
]
},
{
"category": "mitigation",
"details": "See also the recommendations from section Workarounds and Mitigations",
"product_ids": [
"2"
]
},
{
"category": "no_fix_planned",
"details": "Currently no remediation is planned",
"product_ids": [
"2"
]
},
{
"category": "vendor_fix",
"details": "Update to Information Server 2019 SP1 Update 1 contained in PCS neo V3.0 SP1 Update 1",
"product_ids": [
"3"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"category": "vendor_fix",
"details": "Update to V3.0 SP1 Update 1 or later version",
"product_ids": [
"4"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"category": "vendor_fix",
"details": "Update to Process Historian 2019 SP1 Update 1 contained in PCS neo V3.0 SP1 Update 1",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"category": "vendor_fix",
"details": "Update to V3.17 P007 or later version",
"product_ids": [
"6"
],
"url": "https://www.winccoa.com/downloads/category/versions-patches.html"
},
{
"category": "vendor_fix",
"details": "Update to V10.2 Upd1 or later version",
"product_ids": [
"7"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109794248/"
},
{
"category": "mitigation",
"details": "For earlier versions see the recommendations from section Workarounds and Mitigations",
"product_ids": [
"7",
"8"
]
},
{
"category": "vendor_fix",
"details": "Update to V1.0 SP1 or later version",
"product_ids": [
"8"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109793469/"
},
{
"category": "mitigation",
"details": "All products affected by CVE-2020-14513 or CVE-2020-14515: Do not import license files from untrusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
},
{
"category": "mitigation",
"details": "SIMATIC WinCC OA V3.17:\n\nUpdate to V3.17 P007 or later version to fix all issues. For patch levels \u003c P007, the following measures apply:\n\nCVE-2020-14509, CVE-2020-14517, and CVE-2020-16233 are already mitigated by default, as no external connections to port 22350/tcp are allowed. Additionally, an update to SIMATIC WinCC OA version V3.17 P006 partially fixes CVE-2020-14517.\n\nCVE-2020-14519: Disable the WebSockets API of CodeMeter Runtime.",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
},
{
"category": "mitigation",
"details": "SIMIT Simulation Platform (Versions \u003e= V10.0 and \u003c V10.2 Upd1):\n\nTo fix all issues for existing installations, update CodeMeter Runtime to V7.10a: Download from the WIBU Systems User Software website and install on the SIMIT system.",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
},
{
"category": "mitigation",
"details": "SINEC INS (Versions \u003c V1.0 SP1 only):\n\nUpdate CodeMeter Runtime to V7.10a: Download the package \"CodeMeter User Runtime for Linux, version 7.10a, Driver-only\" from the WIBU Systems User Software website. Install it on the system which runs SINEC INS by executing the following command:\n\nsudo dpkg --force-depends --force-confnew -i codemeter-lite_7.10.4196.501_amd64.deb",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
},
{
"category": "mitigation",
"details": "PSS CAPE Protection Simulation Platform (if initally installed from material dated earlier than 2020-09-15):\n\nUpdate CodeMeter Runtime to V7.10a: Download the package from https://www.psscape.com/codemeter and install it the same way as previous versions documented in the PSS CAPE 14 Installation Manual.\n\nContact PSS\u00aeCAPE Support at psscape.support.energy@siemens.com if you need assistance with patching affected systems.",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
},
{
"category": "mitigation",
"details": "SICAM 230\n\nTo fix all issues for existing installations, update SICAM 230 to V8.00 or later version. Then update CodeMeter Runtime to V7.10a: Download the package from WIBU Systems User Software website. Install it on SICAM 230 systems according to the procedure documented in chapter 9 of COPA-DATA Security Vulnerability Announcement 2020_1.",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
}
],
"title": "CVE-2020-14517"
},
{
"cve": "CVE-2020-14519",
"cwe": {
"id": "CWE-346",
"name": "Origin Validation Error"
},
"notes": [
{
"category": "summary",
"text": "This vulnerability could allow an attacker to use an internal API via a specifically crafted Java Script payload, which may allow alteration or creation of license files.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9"
]
},
"references": [
{
"summary": "CVE-2020-14519 - SIMATIC Information Server 2019",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"summary": "CVE-2020-14519 - SIMATIC PCS neo",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"summary": "CVE-2020-14519 - SIMATIC Process Historian 2019 (incl. Process Historian OPC UA Server)",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"summary": "CVE-2020-14519 - SIMATIC WinCC OA",
"url": "https://www.winccoa.com/downloads/category/versions-patches.html"
},
{
"summary": "CVE-2020-14519 - SIMIT Simulation Platform",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109794248/"
},
{
"summary": "CVE-2020-14519 - SINEC INS",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109793469/"
},
{
"summary": "CVE-2020-14519 - SINEMA Remote Connect",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109793790/"
},
{
"summary": "CVE-2020-14519 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-14519.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "CAPE 14 installations installed from material dated 2020-09-15 or later are not affected, as they contain a fixed version of CodeMeter Runtime",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "If CAPE 14 was initially installed using earlier material, see the recommendations from section Workarounds and Mitigations",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Update to SICAM 230 V8.00 or later version. Install WIBU Systems CodeMeter Runtime V7.10a to fix all issues",
"product_ids": [
"2"
]
},
{
"category": "mitigation",
"details": "See also the recommendations from section Workarounds and Mitigations",
"product_ids": [
"2"
]
},
{
"category": "no_fix_planned",
"details": "Currently no remediation is planned",
"product_ids": [
"2"
]
},
{
"category": "vendor_fix",
"details": "Update to Information Server 2019 SP1 Update 1 contained in PCS neo V3.0 SP1 Update 1",
"product_ids": [
"3"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"category": "vendor_fix",
"details": "Update to V3.0 SP1 Update 1 or later version",
"product_ids": [
"4"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"category": "vendor_fix",
"details": "Update to Process Historian 2019 SP1 Update 1 contained in PCS neo V3.0 SP1 Update 1",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"category": "vendor_fix",
"details": "Update to V3.17 P007 or later version",
"product_ids": [
"6"
],
"url": "https://www.winccoa.com/downloads/category/versions-patches.html"
},
{
"category": "vendor_fix",
"details": "Update to V10.2 Upd1 or later version",
"product_ids": [
"7"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109794248/"
},
{
"category": "mitigation",
"details": "For earlier versions see the recommendations from section Workarounds and Mitigations",
"product_ids": [
"7",
"8",
"9"
]
},
{
"category": "vendor_fix",
"details": "Update to V1.0 SP1 or later version",
"product_ids": [
"8"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109793469/"
},
{
"category": "vendor_fix",
"details": "Update to V3.0 or later version",
"product_ids": [
"9"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109793790/"
},
{
"category": "mitigation",
"details": "All products affected by CVE-2020-14513 or CVE-2020-14515: Do not import license files from untrusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9"
]
},
{
"category": "mitigation",
"details": "SIMATIC WinCC OA V3.17:\n\nUpdate to V3.17 P007 or later version to fix all issues. For patch levels \u003c P007, the following measures apply:\n\nCVE-2020-14509, CVE-2020-14517, and CVE-2020-16233 are already mitigated by default, as no external connections to port 22350/tcp are allowed. Additionally, an update to SIMATIC WinCC OA version V3.17 P006 partially fixes CVE-2020-14517.\n\nCVE-2020-14519: Disable the WebSockets API of CodeMeter Runtime.",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9"
]
},
{
"category": "mitigation",
"details": "SIMIT Simulation Platform (Versions \u003e= V10.0 and \u003c V10.2 Upd1):\n\nTo fix all issues for existing installations, update CodeMeter Runtime to V7.10a: Download from the WIBU Systems User Software website and install on the SIMIT system.",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9"
]
},
{
"category": "mitigation",
"details": "SINEC INS (Versions \u003c V1.0 SP1 only):\n\nUpdate CodeMeter Runtime to V7.10a: Download the package \"CodeMeter User Runtime for Linux, version 7.10a, Driver-only\" from the WIBU Systems User Software website. Install it on the system which runs SINEC INS by executing the following command:\n\nsudo dpkg --force-depends --force-confnew -i codemeter-lite_7.10.4196.501_amd64.deb",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9"
]
},
{
"category": "mitigation",
"details": "PSS CAPE Protection Simulation Platform (if initally installed from material dated earlier than 2020-09-15):\n\nUpdate CodeMeter Runtime to V7.10a: Download the package from https://www.psscape.com/codemeter and install it the same way as previous versions documented in the PSS CAPE 14 Installation Manual.\n\nContact PSS\u00aeCAPE Support at psscape.support.energy@siemens.com if you need assistance with patching affected systems.",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9"
]
},
{
"category": "mitigation",
"details": "SICAM 230\n\nTo fix all issues for existing installations, update SICAM 230 to V8.00 or later version. Then update CodeMeter Runtime to V7.10a: Download the package from WIBU Systems User Software website. Install it on SICAM 230 systems according to the procedure documented in chapter 9 of COPA-DATA Security Vulnerability Announcement 2020_1.",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9"
]
}
],
"title": "CVE-2020-14519"
},
{
"cve": "CVE-2020-16233",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "summary",
"text": "An attacker could send a specially crafted packet that could have the server send back packets containing data from the heap.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
},
"references": [
{
"summary": "CVE-2020-16233 - SIMATIC Information Server 2019",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"summary": "CVE-2020-16233 - SIMATIC PCS neo",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"summary": "CVE-2020-16233 - SIMATIC Process Historian 2019 (incl. Process Historian OPC UA Server)",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"summary": "CVE-2020-16233 - SIMATIC WinCC OA",
"url": "https://www.winccoa.com/downloads/category/versions-patches.html"
},
{
"summary": "CVE-2020-16233 - SIMIT Simulation Platform",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109794248/"
},
{
"summary": "CVE-2020-16233 - SINEC INS",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109793469/"
},
{
"summary": "CVE-2020-16233 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-16233.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "CAPE 14 installations installed from material dated 2020-09-15 or later are not affected, as they contain a fixed version of CodeMeter Runtime",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "If CAPE 14 was initially installed using earlier material, see the recommendations from section Workarounds and Mitigations",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Update to SICAM 230 V8.00 or later version. Install WIBU Systems CodeMeter Runtime V7.10a to fix all issues",
"product_ids": [
"2"
]
},
{
"category": "mitigation",
"details": "See also the recommendations from section Workarounds and Mitigations",
"product_ids": [
"2"
]
},
{
"category": "no_fix_planned",
"details": "Currently no remediation is planned",
"product_ids": [
"2"
]
},
{
"category": "vendor_fix",
"details": "Update to Information Server 2019 SP1 Update 1 contained in PCS neo V3.0 SP1 Update 1",
"product_ids": [
"3"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"category": "vendor_fix",
"details": "Update to V3.0 SP1 Update 1 or later version",
"product_ids": [
"4"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"category": "vendor_fix",
"details": "Update to Process Historian 2019 SP1 Update 1 contained in PCS neo V3.0 SP1 Update 1",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109784449/"
},
{
"category": "vendor_fix",
"details": "Update to V3.17 P007 or later version",
"product_ids": [
"6"
],
"url": "https://www.winccoa.com/downloads/category/versions-patches.html"
},
{
"category": "vendor_fix",
"details": "Update to V10.2 Upd1 or later version",
"product_ids": [
"7"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109794248/"
},
{
"category": "mitigation",
"details": "For earlier versions see the recommendations from section Workarounds and Mitigations",
"product_ids": [
"7",
"8"
]
},
{
"category": "vendor_fix",
"details": "Update to V1.0 SP1 or later version",
"product_ids": [
"8"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109793469/"
},
{
"category": "mitigation",
"details": "All products affected by CVE-2020-14513 or CVE-2020-14515: Do not import license files from untrusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
},
{
"category": "mitigation",
"details": "SIMATIC WinCC OA V3.17:\n\nUpdate to V3.17 P007 or later version to fix all issues. For patch levels \u003c P007, the following measures apply:\n\nCVE-2020-14509, CVE-2020-14517, and CVE-2020-16233 are already mitigated by default, as no external connections to port 22350/tcp are allowed. Additionally, an update to SIMATIC WinCC OA version V3.17 P006 partially fixes CVE-2020-14517.\n\nCVE-2020-14519: Disable the WebSockets API of CodeMeter Runtime.",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
},
{
"category": "mitigation",
"details": "SIMIT Simulation Platform (Versions \u003e= V10.0 and \u003c V10.2 Upd1):\n\nTo fix all issues for existing installations, update CodeMeter Runtime to V7.10a: Download from the WIBU Systems User Software website and install on the SIMIT system.",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
},
{
"category": "mitigation",
"details": "SINEC INS (Versions \u003c V1.0 SP1 only):\n\nUpdate CodeMeter Runtime to V7.10a: Download the package \"CodeMeter User Runtime for Linux, version 7.10a, Driver-only\" from the WIBU Systems User Software website. Install it on the system which runs SINEC INS by executing the following command:\n\nsudo dpkg --force-depends --force-confnew -i codemeter-lite_7.10.4196.501_amd64.deb",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
},
{
"category": "mitigation",
"details": "PSS CAPE Protection Simulation Platform (if initally installed from material dated earlier than 2020-09-15):\n\nUpdate CodeMeter Runtime to V7.10a: Download the package from https://www.psscape.com/codemeter and install it the same way as previous versions documented in the PSS CAPE 14 Installation Manual.\n\nContact PSS\u00aeCAPE Support at psscape.support.energy@siemens.com if you need assistance with patching affected systems.",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
},
{
"category": "mitigation",
"details": "SICAM 230\n\nTo fix all issues for existing installations, update SICAM 230 to V8.00 or later version. Then update CodeMeter Runtime to V7.10a: Download the package from WIBU Systems User Software website. Install it on SICAM 230 systems according to the procedure documented in chapter 9 of COPA-DATA Security Vulnerability Announcement 2020_1.",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:T/RC:C",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8"
]
}
],
"title": "CVE-2020-16233"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…