Full Report
WIBU Systems published information about a heap buffer overflow vulnerability and associated fix releases of CodeMeter Runtime, a product provided by WIBU Systems and used in several Siemens industrial products for license management. The vulnerability is described in the section ‘Vulnerability Classification’ below and got assigned the CVE ID CVE-2023-3935. Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to execute code on vulnerable products, where CodeMeter Runtime (i.e., CodeMeter.exe) is configured as a server, or an authenticated local attacker to gain root/admin privileges on vulnerable products, where CodeMeter Runtime is configured as a client. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Heap Buffer Overflow in CodeMeter Runtime (CVE-2023-3935)
## CVE Details
- CVE ID: CVE-2023-3935
- CVSS Score: 9.0 (High)
- CWE: CWE-122: Heap-based Buffer Overflow
## Affected Systems
- Products: PSS(R)CAPE, SINEC INS, SINEMA Remote Connect. (Note: The advisory mentions CodeMeter Runtime is used in several other Siemens industrial products.)
- Versions:
- PSS(R)CAPE: All versions $\le$ V14 affected by versions $<$ V11.2
- SINEC INS: All versions affected by versions $<$ V1.0 SP2 Update 2
- SINEMA Remote Connect: All versions
- Configurations:
- Server Configuration (CodeMeter Runtime as server): Affects unauthenticated remote exploitation scenario.
- Client Configuration (CodeMeter Runtime as client): Affects authenticated local exploitation scenario resulting in privilege escalation.
## Vulnerability Description
The vulnerability is a heap buffer overflow residing in the CodeMeter Runtime component, provided by WIBU Systems and integrated into various Siemens products for license management. Successful exploitation requires breaking necessary protection mechanisms, which differs based on the runtime configuration.
## Exploitation
- Status: **PoC available** (Implied by the CVSS E:P vector and the vendor advisory mentioning exploitation requires breaking protections, the CVSS vector indicates Exploitation is Possible 'P').
- Complexity: High (Required complexity suggested by CVSS AC:H, though successful remote attack is unauthenticated if configured as a server.)
- Attack Vector: Network (Remote Unauthenticated) or Local (Authenticated).
## Impact
- Confidentiality: High
- Integrity: High
- Availability: High
*(Note: Due to the potential for remote code execution (RCE) or privilege escalation, the impact on C, I, and A is assessed as High.)*
## Remediation
### Patches
- **PSS(R)CAPE:** Update to V11.2 or later version.
- **SINEC INS:** Update to V1.0 SP2 Update 2 or later version.
- **SINEMA Remote Connect:** Currently, no fix is planned.
### Workarounds
- **If CodeMeter Runtime is configured as a server:** Limit remote access to the systems where the CodeMeter Runtime network server is running.
- **If CodeMeter Runtime is configured as a client only:** Ensure only trusted persons have access to the system, and avoid configuring additional local accounts.
- Customers should refer to the product-specific recommendations in the vendor advisory.
## Detection
- **Indicators of Compromise (IOC):** Not explicitly listed, but look for high volume or unusual network traffic directed at the CodeMeter service if configured as a server.
- **Detection Methods:** Apply security controls that restrict network access to vulnerable product endpoints, especially those running CodeMeter as a server.
## References
- WIBU Systems Security Advisory WIBU-230704-01: hxxps://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-230704-01.pdf
- Siemens Advisory SSA-240541 (Link to access the advisory for full details): Siemens ProductCERT portal link mentioned in the original document structure.