Far-Reaching Third-Party Components Putting OT Networks at Risk
September 08, 2020 | By Sharon Brizinov and Tal Keren
Six critical vulnerabilities have been uncovered by Claroty researchers in Wibu-Systems’ CodeMeter third-party license management component that could expose users in numerous industries to takeover of their operational technology (OT) networks. These flaws can be exploited via phishing campaigns or directly by attackers who would be able to fingerprint user environments in order to modify existing software licenses or inject malicious ones, causing devices and processes to crash. Serious encryption implementation issues, also discovered by Claroty, can be exploited to allow attackers to execute code remotely, and move laterally on OT networks.
CodeMeter is widely used by many of the leading ICS software vendors, including Rockwell Automation and Siemens, both of whom confirmed in advisories they are affected by these flaws. Other vendors are expected to confirm as well; Claroty has published a list of affected vendors that will be updated periodically. Customers of these and other affected companies who operate in numerous industries, including medical device makers, automakers, manufacturers, process designers, and many others, could be unaware this vulnerable component is running in their environment. Claroty has built an online utility that will help users determine whether they are running a vulnerable version of CodeMeter.
Wibu-Systems has made patches available for all of the flaws in version 7.10a of CodeMeter, which has been available since Aug. 11; many of the affected vendors have been notified and have added, or are in the process of, adding the fixes to their respective installers.
The Industrial Control System Computer Emergency Response Team (ICS-CERT) today also issued an advisory about these vulnerabilities, and collectively assigned a CVSS score of 10.0, the highest criticality rating available.
OT Networks at Risk for Complete Takeover
A view of the CodeMeter WebSocket vulnerability over the Purdue Model.
Vulnerable users would include those in common operational technology (OT) scenarios, above, such as where a user running an engineering station on their laptop in order to manage, compile, and transfer code to a human-machine interface (HMI) or programmable logic controllers (PLCs), and would interact both with IT and OT networks. A convincing phishing email or other social engineering attack could lure the engineer to the attacker’s site where their machine would be infected—with malware such as ransomware, or exploits for other vulnerabilities—and then once connected to an OT network, infect a PLC or cause it to crash because of the attacker’s malicious license.
The vulnerabilities described here allow an attacker that is either performing a phishing campaign, or one that already has network access to engineering stations and HMIs in critical environments to completely take over those hosts running ICS software from many of the leading vendors. This means the attacker may impact and modify physical processes (as was done in the Triton attacks using Industroyer) or install ransomware, as was alleged in the recent incident affecting Japanese automaker Honda, and effectively take down the ICS environment.
License Manipulation and Forgery
Finding these vulnerabilities was a two-step journey for Claroty researchers. First, they had to fully understand the CodeMeter licensing scheme in order to parse its inner workings. Next they built a novel fuzzer that uncovered vulnerabilities in the licensing scheme that allowed them to modify existing licenses or forge valid, corrupted licenses that would crash machines.
Claroty researchers also found attack vectors in the encryption protecting the CodeMeter proprietary protocol. By cracking that encryption implementation, researchers were able to build their own CodeMeter API and client, granting them the ability to communicate with and send commands to any machine running CodeMeter.
CodeMeter’s license-management solution allows software makers the ability to define the types of licenses that will be applied to products, and use its encryption services also deliver intellectual property protection that includes anti-tampering mechanisms, anti-reverse engineering, and more.
Attackers may abuse WebSocket luring victims to a malicious website to inject modified or forged licenses.
Similar to an issue that arose in May when users discovered eBay was running a port scan on visitors to its website by testing WebSocket connections to a number of ports, an attacker could fingerprint a user’s system in order to learn which vendor and what types of licenses are running on a compromised machine, and adjust their attacks accordingly. In some cases, for example, the license could also include customer information that would be of value to the attacker as well.
Researchers also used a custom fuzzer to find other vulnerabilities in the CodeMeter licensing file structure that were combined with separate—and manually discovered—vulnerabilities enabling the bypass of digital signatures used to protect CodeMeter’s licenses (CVE-2020-14515). Chaining these two bugs allows an attacker to sign their own licenses and then inject them remotely. Vulnerabilities related to input validation errors (CVE-2020-14513) could also be exploited to cause industrial gear to crash and be unresponsive, leading to a denial-of-service condition.
Exploits could cause devices to crash and become unresponsive.
Targeting the API for Remote Code Execution
Once Claroty researchers found a way to remotely inject licenses, generate valid licenses (using a custom-built license builder), and discover additional bugs in the CodeMeter license-parser mechanism, the next step would be to chain those and develop a fully working proof-of-concept attack in order to achieve remote code execution on a CodeMeter server.
Claroty researchers were able to find a logic bug in the encryption key-generation function for the Wibu license service. The bug included a time space reduction from potential days worth of brute force attempts to just a few seconds offline to retrieve a valid key, see graphic below.
A visualization of the time reduction researchers achieved in exploiting CodeMeter’s encryption weaknesses.
Decrypting the payload allowed researchers to analyze and understand the proprietary CodeMeter protocol and build their own CodeMeter API in Python that allowed them to communicate with and send commands to remote CodeMeter installations without authentication or authorization mechanisms.
The researchers also used their fuzzer to find additional memory corruption vulnerabilities in the protocol that could also be triggered on remote CodeMeter implementations.
CodeMeter Vulnerability Mitigations
Claroty researchers recommend that since CodeMeter is third-party code integrated into many products from leading ICS vendors, it’s imperative to understand that it may not be readily apparent the vulnerable software is running on a user’s machine.
Claroty’s online utility can assist users to understand whether they are vulnerable and should take action.
In summary, to mitigate the issue on network level Claroty recommends the following:
Use the Claroty online tool to detect presence of CodeMeter products.
Identify existing software installations of CodeMeter using software inventory solutions such as Microsoft SCCM, Qualys, antivirus management software. Look for “Wibu” or “CodeMeter.”
Block TCP port 22350 (CodeMeter network protocol) on your organization’s border firewall to block the ability to exploit the vulnerability.
Contact vendors to understand if they support manual upgrade of the CodeMeter software so you can upgrade only the third-party component of CodeMeter and not the entire software stack. Based on responses we got from a few vendors, this procedure is supported.
Like Ripple20, these vulnerabilities in Wibu-Systems’ CodeMeter demonstrate the potential for harm when widespread security issues affect third-party components that live everywhere in the ICS domain.
Further exacerbating the issue are the difficulties in fixing—at scale—critical vulnerabilities found in third-party components.
There’s much more complexity involved than a single vendor patching software and pushing it out to customers; communication must happen across the entire OT and ICS ecosystems, which impacts response times and likely availability once vulnerable devices are addressed. Claroty encourages users to access its online utility in order to determine whether CodeMeter is running in their environment.
Below is a brief description of each vulnerability discovered by Claroty provided by ICS-CERT:
BUFFER ACCESS WITH INCORRECT LENGTH VALUE (CWE-805)
Multiple memory corruption vulnerabilities exist where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
INADEQUATE ENCRYPTION STRENGTH (CWE-326)
Protocol encryption can be easily broken and the server accepts external connections, which may allow an attacker to remotely communicate with the CodeMeter API. A CVSS v3 base score of 9.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H).
ORIGIN VALIDATION ERROR (CWE-346)
IMPROPER INPUT VALIDATION (CWE-20)
CodeMeter and the software using it may crash while processing a specifically crafted license file due to unverified length fields. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE (CWE-347)
There is an issue in the license-file signature checking mechanism, which allows attackers to build arbitrary license files, including forging a valid license file as if it were a valid license file of an existing vendor. Only CmActLicense update files with CmActLicense Firm Code are affected. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H).
IMPROPER RESOURCE SHUTDOWN OR RELEASE (CWE-404)
An attacker could send a specially crafted packet that could have the server send back packets containing data from the heap. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
All versions prior to 7.10 are affected by CVE-2020-14509 and CVE-2020-16233.
All versions prior to 7.00 are affected by CVE-2020-14519, including Version 7.0 or newer with the affected WebSockets API still enabled. This is especially relevant for systems or devices where a web browser is used to access a web server.
All versions prior to 6.81 are affected by CVE-2020-14513.
All versions prior to 6.90 are affected by CVE-2020-14517, including Version 6.90 or newer only if CodeMeter Runtime is running as a server.
All versions prior to 6.90 are affected by CVE-2020-14515 when using CmActLicense update files with CmActLicense Firm Code. This license manager is used in products by many different vendors.