VDE-2021-043
Vulnerability from csaf_wagogmbhcokg - Published: 2021-08-31 07:02 - Updated: 2025-05-14 12:28Summary
WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro
Notes
Summary: Multiple vulnerabilities were reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations. All currently existing e!COCKPIT installation bundles and WAGO-I/O-Pro (CODESYS 2.3) installation bundles with Version 2.3.9.46, 2.3.9.47, 2.3.9.49, 2.3.9.53, 2.3.9.55, 2.3.9.61 and 2.3.9.66 contain vulnerable versions of WIBU-SYSTEMS Codemeter.
Impact: WAGO controllers and IO-Devices are not affected by WIBU-SYSTEMS Codemeter vulnerabilities. However, due to compatibility reasons to the 3S CODESYS Store, the e!COCKPIT and engineering software is bundled with a WIBU-SYSTEMS Codemeter installation.
Mitigation: 1. Use general security best practices to protect systems from local and network attacks.
2. Run CodeMeter as client only and use localhost as binding for the CodeMeter communication
3. With binding to localhost an attack is no longer possible via remote network connection. The network server is disabled by default.
4. If it is not possible to disable the network server, using a host-based firewall to restrict access to the CmLAN port can reduce the risk.
5. The CmWAN server is disabled by default. Please check if CmWAN is enabled and disable the feature if it is not needed.
6. Run the CmWAN server only behind a reverse proxy with user authentication to prevent attacks from unauthenticated users.
7. The risk of an unauthenticated attacker can be further reduced by using a host-based firewall that only allows the reverse proxy to access the CmWAN port.
For further impact information and risk mitigation, please refer to the official WIBU-SYSTEMS Advisory Website at https://wibu.com/support/security-advisories.html
Remediation: We strongly encourage e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) users to update WIBU-SYSTEMS Codemeter by installing the latest available stand-alone WIBU-SYSTEMS Codemeter Version.
During the WIBU-SYSTEMS Codemeter installation process, refer to the recommended setup settings according to the WIBU-SYSTEMS advisories, a brief summary is provided in the chapter mitigation. Please check for updates and details that may not be included in this document.
WAGO will provide updated e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) setup routines with the latest WIBU-SYSTEMS Codemeter version in Q4/2021.
A buffer over-read vulnerability exists in Wibu-Systems CodeMeter versions < 7.21a. An unauthenticated remote attacker can exploit this issue to disclose heap memory contents or crash the CodeMeter Runtime Server.
9.1 (Critical)
Vendor Fix
We strongly encourage e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) users to update WIBU-SYSTEMS Codemeter by installing the latest available stand-alone WIBU-SYSTEMS Codemeter Version.
During the WIBU-SYSTEMS Codemeter installation process, refer to the recommended setup settings according to the WIBU-SYSTEMS advisories, a brief summary is provided in the chapter mitigation. Please check for updates and details that may not be included in this document.
WAGO will provide updated e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) setup routines with the latest WIBU-SYSTEMS Codemeter version in Q4/2021.
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Run CodeMeter as client only and use localhost as binding for the CodeMeter communication
3. With binding to localhost an attack is no longer possible via remote network connection. The network server is disabled by default.
4. If it is not possible to disable the network server, using a host-based firewall to restrict access to the CmLAN port can reduce the risk.
5. The CmWAN server is disabled by default. Please check if CmWAN is enabled and disable the feature if it is not needed.
6. Run the CmWAN server only behind a reverse proxy with user authentication to prevent attacks from unauthenticated users.
7. The risk of an unauthenticated attacker can be further reduced by using a host-based firewall that only allows the reverse proxy to access the CmWAN port.
For further impact information and risk mitigation, please refer to the official WIBU-SYSTEMS Advisory Website at https://wibu.com/support/security-advisories.html
A denial of service vulnerability exists in Wibu-Systems CodeMeter versions < 7.21a. An unauthenticated remote attacker can exploit this issue to crash the CodeMeter Runtime Server.
7.5 (High)
Vendor Fix
We strongly encourage e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) users to update WIBU-SYSTEMS Codemeter by installing the latest available stand-alone WIBU-SYSTEMS Codemeter Version.
During the WIBU-SYSTEMS Codemeter installation process, refer to the recommended setup settings according to the WIBU-SYSTEMS advisories, a brief summary is provided in the chapter mitigation. Please check for updates and details that may not be included in this document.
WAGO will provide updated e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) setup routines with the latest WIBU-SYSTEMS Codemeter version in Q4/2021.
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Run CodeMeter as client only and use localhost as binding for the CodeMeter communication
3. With binding to localhost an attack is no longer possible via remote network connection. The network server is disabled by default.
4. If it is not possible to disable the network server, using a host-based firewall to restrict access to the CmLAN port can reduce the risk.
5. The CmWAN server is disabled by default. Please check if CmWAN is enabled and disable the feature if it is not needed.
6. Run the CmWAN server only behind a reverse proxy with user authentication to prevent attacks from unauthenticated users.
7. The risk of an unauthenticated attacker can be further reduced by using a host-based firewall that only allows the reverse proxy to access the CmWAN port.
For further impact information and risk mitigation, please refer to the official WIBU-SYSTEMS Advisory Website at https://wibu.com/support/security-advisories.html
References
Acknowledgments
CERT@VDE
certvde.com
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "summary",
"text": "Multiple vulnerabilities were reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations. All currently existing e!COCKPIT installation bundles and WAGO-I/O-Pro (CODESYS 2.3) installation bundles with Version 2.3.9.46, 2.3.9.47, 2.3.9.49, 2.3.9.53, 2.3.9.55, 2.3.9.61 and 2.3.9.66 contain vulnerable versions of WIBU-SYSTEMS Codemeter.",
"title": "Summary"
},
{
"category": "description",
"text": "WAGO controllers and IO-Devices are not affected by WIBU-SYSTEMS Codemeter vulnerabilities. However, due to compatibility reasons to the 3S CODESYS Store, the e!COCKPIT and engineering software is bundled with a WIBU-SYSTEMS Codemeter installation.",
"title": "Impact"
},
{
"category": "description",
"text": "1. Use general security best practices to protect systems from local and network attacks.\n2. Run CodeMeter as client only and use localhost as binding for the CodeMeter communication\n3. With binding to localhost an attack is no longer possible via remote network connection. The network server is disabled by default.\n4. If it is not possible to disable the network server, using a host-based firewall to restrict access to the CmLAN port can reduce the risk.\n5. The CmWAN server is disabled by default. Please check if CmWAN is enabled and disable the feature if it is not needed.\n6. Run the CmWAN server only behind a reverse proxy with user authentication to prevent attacks from unauthenticated users.\n7. The risk of an unauthenticated attacker can be further reduced by using a host-based firewall that only allows the reverse proxy to access the CmWAN port.\nFor further impact information and risk mitigation, please refer to the official WIBU-SYSTEMS Advisory Website at https://wibu.com/support/security-advisories.html",
"title": "Mitigation"
},
{
"category": "description",
"text": "We strongly encourage e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) users to update WIBU-SYSTEMS Codemeter by installing the latest available stand-alone WIBU-SYSTEMS Codemeter Version.\n\nDuring the WIBU-SYSTEMS Codemeter installation process, refer to the recommended setup settings according to the WIBU-SYSTEMS advisories, a brief summary is provided in the chapter mitigation. Please check for updates and details that may not be included in this document.\n\nWAGO will provide updated e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) setup routines with the latest WIBU-SYSTEMS Codemeter version in Q4/2021.",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@wago.com",
"name": "WAGO GmbH \u0026 Co. KG",
"namespace": "https://www.wago.com/psirt"
},
"references": [
{
"category": "external",
"summary": "Wago advisory overview at CERT@VDE",
"url": "https://certvde.com/en/advisories/vendor/wago/"
},
{
"category": "self",
"summary": "VDE-2021-043: WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro - HTML",
"url": "https://certvde.com/en/advisories/VDE-2021-043"
},
{
"category": "self",
"summary": "VDE-2021-043: WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro - CSAF",
"url": "https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2021/vde-2021-043.json"
}
],
"title": "WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro",
"tracking": {
"aliases": [
"VDE-2021-043"
],
"current_release_date": "2025-05-14T12:28:19.000Z",
"generator": {
"date": "2025-02-26T16:07:57.503Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.19"
}
},
"id": "VDE-2021-043",
"initial_release_date": "2021-08-31T07:02:00.000Z",
"revision_history": [
{
"date": "2021-08-31T07:02:00.000Z",
"number": "1",
"summary": "Initial revision."
},
{
"date": "2025-05-14T12:28:19.000Z",
"number": "2",
"summary": "Fix: firmware category, added distribution"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cV1.10",
"product": {
"name": "e!COCKPIT engineering software installation bundles \u003cV1.10",
"product_id": "CSAFPID-51001"
}
}
],
"category": "product_name",
"name": "e!COCKPIT engineering software installation bundles"
},
{
"branches": [
{
"category": "product_version",
"name": "2.3.9.46",
"product": {
"name": "WAGO-I/O-Pro (CODESYS 2.3) engineering software 2.3.9.46",
"product_id": "CSAFPID-51002"
}
},
{
"category": "product_version",
"name": "2.3.9.47",
"product": {
"name": "WAGO-I/O-Pro (CODESYS 2.3) engineering software 2.3.9.47",
"product_id": "CSAFPID-51003"
}
},
{
"category": "product_version",
"name": "2.3.9.49",
"product": {
"name": "WAGO-I/O-Pro (CODESYS 2.3) engineering software 2.3.9.49",
"product_id": "CSAFPID-51004"
}
},
{
"category": "product_version",
"name": "2.3.9.53",
"product": {
"name": "WAGO-I/O-Pro (CODESYS 2.3) engineering software 2.3.9.53",
"product_id": "CSAFPID-51005"
}
},
{
"category": "product_version",
"name": "2.3.9.55",
"product": {
"name": "WAGO-I/O-Pro (CODESYS 2.3) engineering software 2.3.9.55",
"product_id": "CSAFPID-51006"
}
},
{
"category": "product_version",
"name": "2.3.9.61",
"product": {
"name": "WAGO-I/O-Pro (CODESYS 2.3) engineering software 2.3.9.61",
"product_id": "CSAFPID-51007"
}
},
{
"category": "product_version",
"name": "2.3.9.66",
"product": {
"name": "WAGO-I/O-Pro (CODESYS 2.3) engineering software 2.3.9.66",
"product_id": "CSAFPID-51008"
}
}
],
"category": "product_name",
"name": "WAGO-I/O-Pro (CODESYS 2.3) engineering software"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "WAGO"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008"
],
"summary": "Affected Products"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-20093",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "A buffer over-read vulnerability exists in Wibu-Systems CodeMeter versions \u003c 7.21a. An unauthenticated remote attacker can exploit this issue to disclose heap memory contents or crash the CodeMeter Runtime Server.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "\nWe strongly encourage e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) users to update WIBU-SYSTEMS Codemeter by installing the latest available stand-alone WIBU-SYSTEMS Codemeter Version.\n\nDuring the WIBU-SYSTEMS Codemeter installation process, refer to the recommended setup settings according to the WIBU-SYSTEMS advisories, a brief summary is provided in the chapter mitigation. Please check for updates and details that may not be included in this document.\n\nWAGO will provide updated e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) setup routines with the latest WIBU-SYSTEMS Codemeter version in Q4/2021.",
"group_ids": [
"CSAFGID-0001"
],
"product_ids": [
"CSAFPID-51001"
]
},
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Run CodeMeter as client only and use localhost as binding for the CodeMeter communication\n3. With binding to localhost an attack is no longer possible via remote network connection. The network server is disabled by default.\n4. If it is not possible to disable the network server, using a host-based firewall to restrict access to the CmLAN port can reduce the risk.\n5. The CmWAN server is disabled by default. Please check if CmWAN is enabled and disable the feature if it is not needed.\n6. Run the CmWAN server only behind a reverse proxy with user authentication to prevent attacks from unauthenticated users.\n7. The risk of an unauthenticated attacker can be further reduced by using a host-based firewall that only allows the reverse proxy to access the CmWAN port.\nFor further impact information and risk mitigation, please refer to the official WIBU-SYSTEMS Advisory Website at https://wibu.com/support/security-advisories.html",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.1,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.1,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008"
]
}
],
"title": "CVE-2021-20093"
},
{
"cve": "CVE-2021-20094",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability exists in Wibu-Systems CodeMeter versions \u003c 7.21a. An unauthenticated remote attacker can exploit this issue to crash the CodeMeter Runtime Server.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "We strongly encourage e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) users to update WIBU-SYSTEMS Codemeter by installing the latest available stand-alone WIBU-SYSTEMS Codemeter Version.\n\nDuring the WIBU-SYSTEMS Codemeter installation process, refer to the recommended setup settings according to the WIBU-SYSTEMS advisories, a brief summary is provided in the chapter mitigation. Please check for updates and details that may not be included in this document.\n\nWAGO will provide updated e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) setup routines with the latest WIBU-SYSTEMS Codemeter version in Q4/2021.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Run CodeMeter as client only and use localhost as binding for the CodeMeter communication\n3. With binding to localhost an attack is no longer possible via remote network connection. The network server is disabled by default.\n4. If it is not possible to disable the network server, using a host-based firewall to restrict access to the CmLAN port can reduce the risk.\n5. The CmWAN server is disabled by default. Please check if CmWAN is enabled and disable the feature if it is not needed.\n6. Run the CmWAN server only behind a reverse proxy with user authentication to prevent attacks from unauthenticated users.\n7. The risk of an unauthenticated attacker can be further reduced by using a host-based firewall that only allows the reverse proxy to access the CmWAN port.\nFor further impact information and risk mitigation, please refer to the official WIBU-SYSTEMS Advisory Website at https://wibu.com/support/security-advisories.html",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008"
]
}
],
"title": "CVE-2021-20094"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…