Six critical vulnerabilities have been uncovered by Claroty researchers in Wibu-Systems’ CodeMeter third-party license management component that could expose users in numerous industries to takeover of their operational technology (OT) networks. These flaws can be exploited via phishing campaigns or directly by attackers who would be able to fingerprint user environments in order to modify existing software licenses or inject malicious ones, causing devices and processes to crash. Serious encryption implementation issues, also discovered by Claroty, can be exploited to allow attackers to execute code remotely, and move laterally on OT networks.
CodeMeter is widely used by many of the leading ICS software vendors. Customers of these and other affected companies who operate in numerous industries, including medical device makers, automakers, manufacturers, process designers, and many others, could be unaware this vulnerable component is running in their environment. Claroty has built an online utility that will help users determine whether they are running a vulnerable version of CodeMeter.
Wibu-Systems has made patches available for all of the flaws in version 7.10 of CodeMeter, which has been available since Aug. 11; many of the affected vendors have been notified and have added, or are in the process of, adding the fixes to their respective installers.
Technical details on the vulnerabilities as well as details about how Claroty uncovered these flaws are available in a paper released today, titled “License to Kill: Leveraging License Management to Attack ICS Networks.”
The Industrial Control System Computer Emergency Response Team (ICS-CERT) today also issued an advisory about these vulnerabilities, and collectively assigned a CVSS score of 10.0, the highest criticality rating available.
OT Networks at Risk for Complete Takeover
The worst of the bugs were found in the product’s encryption implementation that Claroty researchers leveraged to attack the CodeMeter communication protocol and internal API in order to remotely communicate with, and send commands to, any machine running CodeMeter. Claroty researchers were also able to find vulnerabilities in the CodeMeter WebSocket API that enables management of licenses via JavaScript; an attacker would have to phish or socially engineer a victim to lure them to a site they control in order to use JavaScript to inject a malicious license of their own onto victim’s machine. Researchers were also able to leverage a separate vulnerability to bypass the digital signatures protecting CodeMeter in order to alter or create valid, forged licenses, and inject them onto any machine running CodeMeter that landed on the attacker’s site.
A view of the CodeMeter WebSocket vulnerability over the Purdue Model.
Vulnerable users would include those in common operational technology (OT) scenarios, above, such as where a user running an engineering station on their laptop in order to manage, compile, and transfer code to a human-machine interface (HMI) or programmable logic controllers (PLCs), and would interact both with IT and OT networks. A convincing phishing email or other social engineering attack could lure the engineer to the attacker’s site where their machine would be infected—with malware such as ransomware, or exploits for other vulnerabilities—and then once connected to an OT network, infect a PLC or cause it to crash because of the attacker’s malicious license.
The vulnerabilities described here allow an attacker that is either performing a phishing campaign, or one that already has network access to engineering stations and HMIs in critical environments to completely take over those hosts running ICS software from many of the leading vendors. This means the attacker may impact and modify physical processes (as was done in the Triton attacks using Industroyer) or install ransomware, as was alleged in the recent incident affecting Japanese automaker Honda, and effectively take down the ICS environment.
License Manipulation and Forgery
Finding these vulnerabilities was a two-step journey for Claroty researchers. First, they had to fully understand the CodeMeter licensing scheme in order to parse its inner workings. Next they built a novel fuzzer that uncovered vulnerabilities in the licensing scheme that allowed them to modify existing licenses or forge valid, corrupted licenses that would crash machines.
Claroty researchers also found attack vectors in the encryption protecting the CodeMeter proprietary protocol. By cracking that encryption implementation, researchers were able to build their own CodeMeter API and client, granting them the ability to communicate with and send commands to any machine running CodeMeter.
CodeMeter’s license-management solution allows software makers the ability to define the types of licenses that will be applied to products, and use its encryption services also deliver intellectual property protection that includes anti-tampering mechanisms, anti-reverse engineering, and more.
A critical vulnerability (CVE-2020-14519) was uncovered in CodeMeter’s WebSocket allowing attackers to abuse the internal WebSocket API via crafted JavaScript code hosted on an attacker-controlled website. The vulnerability allows attackers to inject modified or forged valid licenses. An attacker would likely be able to, for example, target a specific group of engineers looking for advice on a forum dedicated to programmable logic controllers (PLCs) with this vulnerability by hosting the malicious payload on a phony or compromised forum.
Attackers may abuse WebSocket luring victims to a malicious website to inject modified or forged licenses.
Similar to an issue that arose in May when users discovered eBay was running a port scan on visitors to its website by testing WebSocket connections to a number of ports, an attacker could fingerprint a user’s system in order to learn which vendor and what types of licenses are running on a compromised machine, and adjust their attacks accordingly. In some cases, for example, the license could also include customer information that would be of value to the attacker as well.
Researchers also used a custom fuzzer to find other vulnerabilities in the CodeMeter licensing file structure that were combined with separate—and manually discovered—vulnerabilities enabling the bypass of digital signatures used to protect CodeMeter’s licenses (CVE-2020-14515). Chaining these two bugs allows an attacker to sign their own licenses and then inject them remotely. Vulnerabilities related to input validation errors (CVE-2020-14513) could also be exploited to cause industrial gear to crash and be unresponsive, leading to a denial-of-service condition.