Full Report
Versions V6.0 through V8 QU1 of the Desigo CC product family (Desigo CC, Desigo CC Compact, Desigo CC Connect, Cerberus DMS), as well as the Desigo CC-based SENTRON Powermanager, are affected by a vulnerability in the underlying third-party component WIBU Systems CodeMeter Runtime. Successful exploitation of this vulnerability could lead to code execution in the context of the current process. Siemens has released instructions how to update the CodeMeter Runtime component and recommends to apply the update on affected systems.
Analysis Summary
# Vulnerability: Heap-Based Buffer Overflow in WIBU CodeMeter Runtime affecting Siemens Desigo CC and SENTRON Powermanager
## CVE Details
- **CVE ID:** CVE-2023-38545
- **CVSS Score:** 8.8 (High)
- **CWE:** CWE-122 (Heap-based Buffer Overflow)
## Affected Systems
- **Products:**
- Desigo CC family (including Desigo CC, Compact, Connect, and Cerberus DMS)
- SENTRON Powermanager
- **Versions:**
- Desigo CC family: V6.x, V7.x, and V8.x (prior to V8.0 QU2)
- SENTRON Powermanager: V6.x, V7.x, and V8.x (prior to V8.0 QU2)
- **Configurations:** Systems utilizing the third-party WIBU Systems CodeMeter Runtime component for license management.
## Vulnerability Description
The vulnerability originates from a flaw in the `curl` library used within the WIBU CodeMeter Runtime. During a SOCKS5 proxy handshake, if a hostname exceeds 255 bytes, the application is intended to switch to local name resolution. Due to a logic error during slow handshakes, the application may incorrectly attempt to copy the over-sized hostname into a fixed-size target buffer. This results in a heap-based buffer overflow, potentially allowing for arbitrary code execution within the context of the affected process.
## Exploitation
- **Status:** Vulnerability documented; PoC concepts exist for the underlying curl flaw.
- **Complexity:** Low
- **Attack Vector:** Network (The flaw is triggered during communication with a malicious or compromised proxy).
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
Siemens recommends updating the CodeMeter Runtime component or the parent software suite:
- **Desigo CC / SENTRON Powermanager V8:** Update to **V8.0 QU2** or later.
- **Desigo CC / SENTRON Powermanager V6 & V7:** Manually update the third-party component to **WIBU CodeMeter User Runtime V8.40b** or later.
### Workarounds
- **Update Component Manually:**
1. Uninstall the existing CodeMeter version via Control Panel.
2. Install WIBU CodeMeter User Runtime V8.40b or later.
3. Restart the client/server.
- **General Mitigation:** Restrict network access to building automation systems and follow Siemens' operational guidelines for industrial security.
## Detection
- **Indicators of Compromise:** Unusual network traffic directed toward SOCKS5 proxies or unexpected process crashes in CodeMeter-related services.
- **Detection Methods:** Audit installed software versions to identify WIBU CodeMeter Runtime versions older than V8.40b. Ensure vulnerability scanners are updated to check for CVE-2023-38545 within third-party library contexts.
## References
- **Siemens Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-507364[.]pdf
- **WIBU Systems Advisory:** hxxps://cdn[.]wibu[.]com/fileadmin/wibu_downloads/security_advisories/AdvisoryWIBU-231017-01[.]pdf
- **Siemens Industrial Security Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security
- **Support Links:**
- Desigo CC Support: hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109997962/
- SENTRON Support: hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109771760/