Thursday, 10 September 2020 17:50

Newly discovered vulnerabilities putting OT networks at risk

By Claroty

GUEST RESEARCH by Claroty: Six critical vulnerabilities have been uncovered by Claroty researchers in Wibu-Systems’ CodeMeter third-party license management component that could expose users in numerous industries to takeover of their operational technology (OT) networks.

These flaws can be exploited via phishing campaigns or directly by attackers who would be able to fingerprint user environments in order to modify existing software licenses or inject malicious ones, causing devices and processes to crash. Serious encryption implementation issues, also discovered by Claroty, can be exploited to allow attackers to execute code remotely, and move laterally on OT networks.

CodeMeter is the dominant license management and anti-piracy solution used to protect Industrial Control Systems (ICS). Customers of affected companies who operate in numerous industries, including medical device makers, automakers, manufacturers, process designers, and many others, could be unaware this vulnerable component is running in their environment. Claroty has built an
that will help users determine whether they are running a vulnerable version of CodeMeter.

Wibu-Systems has made patches available for all of the flaws in version 7.10 of CodeMeter, which has been available since Aug. 11; many of the affected vendors have been notified and have added, or are in the process of, adding the fixes to their respective installers.

Technical details on the vulnerabilities as well as details about how Claroty uncovered these flaws are available in a paper released today, titled “License to Kill: Leveraging License Management to Attack ICS Networks.”

The Industrial Control System Computer Emergency Response Team (ICS-CERT) today also issued an advisory about these vulnerabilities, and collectively assigned a CVSS score of 10.0, the highest criticality rating available.

OT Networks at Risk for Complete Takeover

The worst of the bugs were found in the product’s encryption implementation that Claroty researchers leveraged to attack the CodeMeter communication protocol and internal API in order to remotely communicate with, and send commands to, any machine running CodeMeter. Claroty researchers were also able to find vulnerabilities in the CodeMeter WebSocket API that enables management of licenses via JavaScript; an attacker would have to phish or socially engineer a victim to lure them to a site they control in order to use JavaScript to inject a malicious license of their own onto victim’s machine. Researchers were also able to leverage a separate vulnerability to bypass the digital signatures protecting CodeMeter in order to alter or create valid, forged licenses, and inject them onto any machine running CodeMeter that landed on the attacker’s site.

Vulnerable users would include those in common operational technology (OT) scenarios, above, such as where a user running an engineering station on their laptop in order to manage, compile, and transfer code to a human-machine interface (HMI) or programmable logic controllers (PLCs), and would interact both with IT and OT networks. A convincing phishing email or other social engineering attack could lure the engineer to the attacker’s site where their machine would be infected—with malware such as ransomware, or exploits for other vulnerabilities—and then once connected to an OT network, infect a PLC or cause it to crash because of the attacker’s malicious license.

The vulnerabilities described here allow an attacker that is either performing a phishing campaign, or one that already has network access to engineering stations and HMIs in critical environments to completely take over those hosts running ICS software from many of the leading vendors. This means the attacker may impact and modify physical processes (as was done in the Triton attacks using Industroyer) or install ransomware, as was alleged in the recent incident affecting Japanese automaker Honda, and effectively take down the ICS environment.

License Manipulation and Forgery

Finding these vulnerabilities was a two-step journey for Claroty researchers. First, they had to fully understand the CodeMeter licensing scheme in order to parse its inner workings. Next they built a novel fuzzer that uncovered vulnerabilities in the licensing scheme that allowed them to modify existing licenses or forge valid, corrupted licenses that would crash machines.

Claroty researchers also found attack vectors in the encryption protecting the CodeMeter proprietary protocol. By cracking that encryption implementation, researchers were able to build their own CodeMeter API and client, granting them the ability to communicate with and send commands to any machine running CodeMeter.

CodeMeter’s license-management solution allows software makers the ability to define the types of licenses that will be applied to products, and use its encryption services also deliver intellectual property protection that includes anti-tampering mechanisms, anti-reverse engineering, and more.

A critical vulnerability (CVE-2020-14519) was uncovered in CodeMeter’s WebSocket allowing attackers to abuse the internal WebSocket API via crafted JavaScript code hosted on an attacker-controlled website. The vulnerability allows attackers to inject modified or forged valid licenses. An attacker would likely be able to, for example, target a specific group of engineers looking for advice on a forum dedicated to programmable logic controllers (PLCs) with this vulnerability by hosting the malicious payload on a phony or compromised forum.

Similar to an issue that arose in May when users discovered eBay was running a port scan on visitors to its website by testing WebSocket connections to a number of ports, an attacker could fingerprint a user’s system in order to learn which vendor and what types of licenses are running on a compromised machine, and adjust their attacks accordingly. In some cases, for example, the license could also include customer information that would be of value to the attacker as well.

Researchers also used a custom fuzzer to find other vulnerabilities in the CodeMeter licensing file structure that were combined with separate—and manually discovered—vulnerabilities enabling the bypass of digital signatures used to protect CodeMeter’s licenses (CVE-2020-14515). Chaining these two bugs allows an attacker to sign their own licenses and then inject them remotely. Vulnerabilities related to input validation errors (CVE-2020-14513) could also be exploited to cause industrial gear to crash and be unresponsive, leading to a denial-of-service condition.

Targeting the API for Remote Code Execution

Once Claroty researchers found a way to remotely inject licenses, generate valid licenses (using a custom-built license builder), and discover additional bugs in the CodeMeter license-parser mechanism, the next step would be to chain those and develop a fully working proof-of-concept attack in order to achieve remote code execution on a CodeMeter server.

Claroty researchers were able to find a logic bug in the encryption key-generation function for the Wibu license service. The bug included a time space reduction from potential days worth of brute force attempts to just a few seconds offline to retrieve a valid key, see graphic below.

Decrypting the payload allowed researchers to analyse and understand the proprietary CodeMeter protocol and build their own CodeMeter API in Python that allowed them to communicate with and send commands to remote CodeMeter installations without authentication or authorisation mechanisms.

The researchers also used their fuzzer to find additional memory corruption vulnerabilities in the protocol that could also be triggered on remote CodeMeter implementations.

CodeMeter Vulnerability Mitigations

Claroty researchers recommend that since CodeMeter is third-party code integrated into many products from leading ICS vendors, it’s imperative to understand that it may not be readily apparent the vulnerable software is running on a user’s machine.

Claroty’s online utility can assist users to understand whether they are vulnerable and should take action

In summary, to mitigate the issue on network level Claroty recommends the following:


Use the Claroty online tool to detect presence of CodeMeter products.

Identify existing software installations of CodeMeter using software inventory solutions such as Microsoft SCCM, Qualys, antivirus management software. Look for “Wibu” or “CodeMeter.


Block TCP port 22350 (CodeMeter network protocol) on your organisation’s border firewall to block the ability to exploit the vulnerability.

Contact vendors to understand if they support manual upgrade of the CodeMeter software so you can upgrade only the third-party component of CodeMeter and not the entire software stack. Based on responses we got from a few vendors, this procedure is supported


Like Ripple20, these vulnerabilities in Wibu-Systems’ CodeMeter demonstrate the potential for harm when widespread security issues affect third-party components that live everywhere in the ICS domain. Further exacerbating the issue are the difficulties in fixing—at scale—critical vulnerabilities found in third-party components.

There’s much more complexity involved than a single vendor patching software and pushing it out to customers; communication must happen across the entire OT and ICS ecosystems, which impacts response times and likely availability once vulnerable devices are addressed. Claroty encourages users to access its online utility in order to determine whether CodeMeter is running in their environment.

Access Claroty’s to determine if your CodeMeter version is compromised.

Subscribe to ITWIRE UPDATE Newsletter here

Now’s the Time for 400G Migration

The optical fibre community is anxiously awaiting the benefits that 400G capacity per wavelength will bring to existing and future fibre optic networks.

Nearly every business wants to leverage the latest in digital offerings to remain competitive in their respective markets and to provide support for fast and ever-increasing demands for data capacity. 400G is the answer.

Initial challenges are associated with supporting such project and upgrades to fulfil the promise of higher-capacity transport.

The foundation of optical networking infrastructure includes coherent optical transceivers and digital signal processing (DSP), mux/demux, ROADM, and optical amplifiers, all of which must be able to support 400G capacity.

With today’s proprietary power-hungry and high cost transceivers and DSP, how is migration to 400G networks going to be a viable option?

PacketLight's next-generation standardised solutions may be the answer. Click below to read the full article.

WEBINAR PROMOTION ON ITWIRE: It's all about webinars

These days our customers Advertising & Marketing campaigns are mainly focussed on webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

We have a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you.


Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News


内蒙快三综合走势图表 内蒙麻将官网 嫩草影院,钻石娱乐 能微信充值的竞彩软件 泥巴体育 宁夏‖选5电子走势图 宁夏十一选五任四多少钱 牛8彩票 牛彩会员资 牛彩全部藏机图汇总