Security researchers recently discovered six critical vulnerabilities in third-party code that could expose hundreds of thousands of OT environments to remote code execution attacks.
These vulnerabilities were found in Wibu-Systems’ CodeMeter software, a license management platform that is used widely by some of today’s leading industrial control system (ICS) product vendors, include Rockwell Automation and Siemens. CodeMeter provides ICS vendors with tools to help strengthen their security stance, help with licensing models and protect against piracy and reverse-engineering.
Potential Attack Vectors
The researchers at Claroty who discovered these bugs gave them a collective CVSS score by the ICS-CERT of 10.0, representing the highest level of severity. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) claim that if exploited, these vulnerabilities could allow a hacker to falsify or alter a license file, cause a denial-of-service condition, possibly attain remote code execution, view heap data, or prevent normal operations of third-party software that are reliant on the CodeMeter software.
In another scenario, attackers could use social engineering techniques to phish their victims, tricking them into visiting a malicious website under their control in order to inject a malicious license onto the victims’ device. Or, attackers could exploit one of the vulnerabilities in order to create and inject forged licenses onto a machine running CodeMeter.
Security researchers also claim that the worst of the vulnerabilities could allow hackers to compromise the CodeMeter communication protocol and internal API, allowing them to easily send commands to any device running the code. This would enable complete remote takeover which could result in attackers installing ransomware or other potentially devastating exploits and/or crash programmable logic controllers (PLCs).
Wibu-Systems made patches available for all of the flaws in version 7.10 of CodeMeter, but many OT managers may not even be aware that a vulnerable version of CodeMeter is running in their environment, making mitigating this threat that much more difficult. To help mitigate this threat, organizations are recommended to follow these three steps:
- Step 1: Scan for the product.
- Step 2: Block TCP port 22350.
- Step 3: Contact your ICS vendors to see if they can manually upgrade the third-party component of CodeMeter.
As ICS devices become increasingly Ethernet-connected, they’ve also become increasingly more vulnerable to attack. As a whole, the industrial industry is underprepared for the digital convergence of their IT and OT environments. The rate of new connected devices is outpacing the rate of device security, with no intentions of slowing down.
Having such high levels of smart machinery certainly helps improve efficiency – but without the proper controls, it offers attackers remote access and attack opportunities that did not exist before. It really is no surprise that over 70 percent of ICS vulnerabilities disclosed in the first half of 2020 can be exploited remotely.
Share this post