These flaws can be exploited via phishing campaigns or directly by attackers who would be able to fingerprint user environments in order to modify existing software licenses or inject malicious ones, causing devices and processes to crash. Serious encryption implementation issues, also discovered by Claroty, can be exploited to allow attackers to execute code remotely, and move laterally on OT networks.
CodeMeter is the dominant license management and anti-piracy solution used to protect Industrial Control Systems (ICS). Customers of affected companies who operate in numerous industries, including medical device makers, automakers, manufacturers, process designers, and many others, could be unaware this vulnerable component is running in their environment. Claroty has built an that will help users determine whether they are running a vulnerable version of CodeMeter.
Wibu-Systems has made patches available for all of the flaws in version 7.10 of CodeMeter, which has been available since Aug. 11; many of the affected vendors have been notified and have added, or are in the process of, adding the fixes to their respective installers.
Technical details on the vulnerabilities as well as details about how Claroty uncovered these flaws are available in a paper released today, titled “License to Kill: Leveraging License Management to Attack ICS Networks.”
The Industrial Control System Computer Emergency Response Team (ICS-CERT) today also issued an advisory about these vulnerabilities, and collectively assigned a CVSS score of 10.0, the highest criticality rating available.
OT Networks at Risk for Complete Takeover
Vulnerable users would include those in common operational technology (OT) scenarios, above, such as where a user running an engineering station on their laptop in order to manage, compile, and transfer code to a human-machine interface (HMI) or programmable logic controllers (PLCs), and would interact both with IT and OT networks. A convincing phishing email or other social engineering attack could lure the engineer to the attacker’s site where their machine would be infected—with malware such as ransomware, or exploits for other vulnerabilities—and then once connected to an OT network, infect a PLC or cause it to crash because of the attacker’s malicious license.
The vulnerabilities described here allow an attacker that is either performing a phishing campaign, or one that already has network access to engineering stations and HMIs in critical environments to completely take over those hosts running ICS software from many of the leading vendors. This means the attacker may impact and modify physical processes (as was done in the Triton attacks using Industroyer) or install ransomware, as was alleged in the recent incident affecting Japanese automaker Honda, and effectively take down the ICS environment.
License Manipulation and Forgery
Finding these vulnerabilities was a two-step journey for Claroty researchers. First, they had to fully understand the CodeMeter licensing scheme in order to parse its inner workings. Next they built a novel fuzzer that uncovered vulnerabilities in the licensing scheme that allowed them to modify existing licenses or forge valid, corrupted licenses that would crash machines.
Claroty researchers also found attack vectors in the encryption protecting the CodeMeter proprietary protocol. By cracking that encryption implementation, researchers were able to build their own CodeMeter API and client, granting them the ability to communicate with and send commands to any machine running CodeMeter.
CodeMeter’s license-management solution allows software makers the ability to define the types of licenses that will be applied to products, and use its encryption services also deliver intellectual property protection that includes anti-tampering mechanisms, anti-reverse engineering, and more.
Similar to an issue that arose in May when users discovered eBay was running a port scan on visitors to its website by testing WebSocket connections to a number of ports, an attacker could fingerprint a user’s system in order to learn which vendor and what types of licenses are running on a compromised machine, and adjust their attacks accordingly. In some cases, for example, the license could also include customer information that would be of value to the attacker as well.
Researchers also used a custom fuzzer to find other vulnerabilities in the CodeMeter licensing file structure that were combined with separate—and manually discovered—vulnerabilities enabling the bypass of digital signatures used to protect CodeMeter’s licenses (CVE-2020-14515). Chaining these two bugs allows an attacker to sign their own licenses and then inject them remotely. Vulnerabilities related to input validation errors (CVE-2020-14513) could also be exploited to cause industrial gear to crash and be unresponsive, leading to a denial-of-service condition.
Targeting the API for Remote Code Execution
Once Claroty researchers found a way to remotely inject licenses, generate valid licenses (using a custom-built license builder), and discover additional bugs in the CodeMeter license-parser mechanism, the next step would be to chain those and develop a fully working proof-of-concept attack in order to achieve remote code execution on a CodeMeter server.
Claroty researchers were able to find a logic bug in the encryption key-generation function for the Wibu license service. The bug included a time space reduction from potential days worth of brute force attempts to just a few seconds offline to retrieve a valid key, see graphic below.
Decrypting the payload allowed researchers to analyse and understand the proprietary CodeMeter protocol and build their own CodeMeter API in Python that allowed them to communicate with and send commands to remote CodeMeter installations without authentication or authorisation mechanisms.
The researchers also used their fuzzer to find additional memory corruption vulnerabilities in the protocol that could also be triggered on remote CodeMeter implementations.
CodeMeter Vulnerability Mitigations
Claroty researchers recommend that since CodeMeter is third-party code integrated into many products from leading ICS vendors, it’s imperative to understand that it may not be readily apparent the vulnerable software is running on a user’s machine.
Claroty’s online utility can assist users to understand whether they are vulnerable and should take action
In summary, to mitigate the issue on network level Claroty recommends the following:
Use the Claroty online tool to detect presence of CodeMeter products.
Identify existing software installations of CodeMeter using software inventory solutions such as Microsoft SCCM, Qualys, antivirus management software. Look for “Wibu” or “CodeMeter.
Block TCP port 22350 (CodeMeter network protocol) on your organisation’s border firewall to block the ability to exploit the vulnerability.
Contact vendors to understand if they support manual upgrade of the CodeMeter software so you can upgrade only the third-party component of CodeMeter and not the entire software stack. Based on responses we got from a few vendors, this procedure is supported
Like Ripple20, these vulnerabilities in Wibu-Systems’ CodeMeter demonstrate the potential for harm when widespread security issues affect third-party components that live everywhere in the ICS domain. Further exacerbating the issue are the difficulties in fixing—at scale—critical vulnerabilities found in third-party components.
There’s much more complexity involved than a single vendor patching software and pushing it out to customers; communication must happen across the entire OT and ICS ecosystems, which impacts response times and likely availability once vulnerable devices are addressed. Claroty encourages users to access its online utility in order to determine whether CodeMeter is running in their environment.
Access Claroty’s to determine if your CodeMeter version is compromised.