PN1530 | FactoryTalk Activation Manager affected by CodeMeter Vulnerabilities

Rockwell Automation received a report from Claroty, an industrial security product vendor and research company, regarding vulnerabilities in Wibu-Systems’ CodeMeter. These vulnerabilities, if successfully exploited, may result in remote code execution, privilege escalation, or denial of service conditions to the products dependent on CodeMeter. CodeMeter is distributed as part of the installation for FactoryTalk Activation Manager. FactoryTalk Activation Manager enables customers to manage licensed content and activate Rockwell Automation software products.

Claroty has released documentation that outlines the vulnerabilities in detail. This information may make it easier for an adversary to compromise the host running Wibu CodeMeter. Customers using the affected versions of FactoryTalk Activation Manager and/or CodeMeter should implement the mitigations detailed below as soon as possible.

FactoryTalk Activation (FTA) Manager v4.05.00 and earlier running Wibu-Systems CodeMeter v7.10 or earlier.

The following products require FactoryTalk Activation Manager to store and keep track of Rockwell Automation software products and activation files. Customers who use the products from the following list in their install base contain FactoryTalk Activation Manager.

• Arena^® software
• Emonitor^® software
• FactoryTalk^® AssetCentre software
• FactoryTalk^® Batch software
• FactoryTalk^® EnergyMetrix^™ software
• FactoryTalk^® eProcedure^® software
• FactoryTalk^® Gateway software
• FactoryTalk^® Historian Site Edition (SE) software
• FactoryTalk^® Historian Classic software
• FactoryTalk^® Information Server software
• FactoryTalk^® Metrics software
• FactoryTalk^® Transaction Manager software
• FactoryTalk^® VantagePoint^® software
• FactoryTalk^® View Machine Edition (ME) software
• FactoryTalk^® View Site Edition (SE) software
• FactoryTalk^® ViewPoint software
• RSFieldbus™ software
• RSLinx^® Classic software
• RSLogix 500^® software
• RSLogix 5000^® software
• RSLogix™ 5 software
• RSLogix^™ Emulate 5000 software
• RSNetWorx^™ software
• RSView^®32 software
• SoftLogix^™ 5800 software
• Studio 5000 Architect^® software
• Studio 5000 Logix Designer^® software
• Studio 5000 View Designer^® software
• Studio 5000^® Logix Emulate^™ software

CVE-2020-14509: Arbitrary Command Execution Due to Buffer Access with Incorrect Length Value of CodeMeter
The packet parsing mechanism of CodeMeter does not verify its length field values causing it to access memory outside the bounds of the buffer. This may allow an attacker to execute arbitrary commands by sending a specifically crafted packet. This out of bounds memory access could also lead to relevant memory corruption causing denial-of-service conditions by crashing the CodeMeter server

CVSS v3.1 Base Score: 10.0/10 [CRITICAL]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2020-14517: Arbitrary Command Execution Due to the Inadequate Encryption Strength of CodeMeter
A vulnerability exists in the encryption scheme of CodeMeter, which allows a bypass of the protection mechanism, enabling the server to accept external connections without authentication. This may allow an attacker to remotely communicate with the CodeMeter API, access and modify application data.

CVSS v3.1 Base Score: 9.4/10 [CRITICAL]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H)

CVE-2019-14519: Denial-of-Service Conditions Due to the Origin Validation Errors of CodeMeter
The API of the WebSocket internals of CodeMeter does not provide authentication on its WebSocket services. This may allow an attacker to cause denial-of-service conditions by sending a specifically crafted JavaScript payload allowing alteration or creation of license files.

CVSS v3.1 Base Score: 8.1/10 [HIGH]
CVSS Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CVE-2020-16233: Denial-of-Service Conditions Due to the Improper Resource Release of CodeMeter
A vulnerability exists in the internal program resource management of CodeMetermanagement, which allows the disclosure of heap memory. This may allow an attacker to cause denial-of-service conditions by triggering an intentional resource leak.

CVSS v3.1 Base Score: 7.5/10 [HIGH]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2020-14513: Denial-of-Service Conditions Due to Improper Input Validation of CodeMeter
A vulnerability exists in the input validation method of CodeMeter that can affect its program control flow or data flow. This may allow an attacker to alter the control flow and cause denial-of-service conditions to CodeMeter and any product dependencies by using a specifically crafted license file.

CVSS v3.1 Base Score: 7.5 [HIGH]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-14515: Denial-of-Service Condition or Data Modification due to Improper Verification of a Cryptographic Signature in CodeMeter
A vulnerability exists in the license-file signature checking mechanism, which may allow an attacker to build arbitrary license files including forging a valid license file as if it were a valid license file of an existing vendor. This may allow an attacker to modify data or could cause a denial-of-service condition to CodeMeter.

CVSS v3.1 Base Score: 7.4/10 [HIGH]
CVSS v3.1 Vector: AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H

UPDATE (4.0)
Customers using the affected versions of FactoryTalk Activation Manager are encouraged to update to v4.05.01. This version of FactoryTalk Activation Manager contains CodeMeter 7.10a, which addresses the vulnerabilities. Customers who are unable to patch are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability	Currently Installed	Suggested Actions
CVE-2020-14517 CVE-2020-16233 CVE-2020-14513 CVE-2020-14509 CVE-2020-14519 CVE-2020-14515	FactoryTalk Activation Manager v4.05.00 and earlier	Update to version 4.05.01 of FactoryTalk Activation Manager. Select the FactoryTalk Activation Manager download from our website. This information can also be found in Compatibility & Downloads > Configured Views > Standard Views > Software Latest Versions > FactoryTalk Activation.

UPDATE (3.0)
Customers using the affected products are encouraged to update to an available software revision that addresses the associated risk. As of September 16, 2020, CodeMeter 7.10a is compatible with FactoryTalk Activation Manager via the Rockwell Automation Product Compatibility and Download Center (PCDC). This version of CodeMeter remediates all of the vulnerabilities noted below. Customers can update CodeMeter directly from Wibu, which is compatible with all supported versions of FTA. A bundled version of CodeMeter 7.10a and FactoryTalk Activation Manager will also release in the coming days.

Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability	Currently Installed	Suggested Actions
CVE-2020-14517 CVE-2020-16233 CVE-2020-14513 CVE-2020-14509 CVE-2020-14519 CVE-2020-14515	FactoryTalk Activation Manager v4.05.00 and earlier	Update to version 7.10a of CodeMeter found on the Rockwell Automation PCDC, which is compatible with all supported versions of FTA. This information can also be found in Compatibility & Downloads > Configured Views > Standard Views > Software Latest Versions > FactoryTalk Activation.

Previous Information Contained in Versions 1.0-2.1
Customers using the affected products are encouraged to update to an available software revision that addresses the associated risk for CVE-2019-14519, and CVE-2020-14515. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

For CVE-2020-14517, CVE-2020-16233, and CVE-2020-14513, FTA v4.05 or later mitigates these vulnerabilities unless CodeMeter is running as a server. Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available.

Vulnerability	Currently Installed	Suggested Actions
CVE-2020-14519 CVE-2020-14515	FactoryTalk Activation Manager v4.04.00 and earlier	Update to FTA v4.05 or later and employ the general security guidelines. For compatibility details about FactoryTalk Activation Manager, customers can consult the Product Compatibility and Download Center Standard Views > Software Latest Versions > FactoryTalk Activation
CVE-2020-14517 CVE-2020-16233 CVE-2020-14513 CVE-2020-14509	FactoryTalk Activation Manager v4.04.00 and earlier	Update to FTA v4.05 or later and employ the general security guidelines. The default configuration of FTA v4.05 limits the vulnerable port, which mitigates these vulnerabilities. However, if CodeMeter is running a server, which can be turned on via FTA, customers should ensure they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. Refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense-in-depth strategies.

Network-based Vulnerability Mitigations for Embedded Products

• Utilize proper network infrastructure controls, such as firewalls, to help ensure that any traffic from unauthorized sources are blocked.
• Consult the product documentation for specific features, such as a hardware key switch setting, to which may be used to block unauthorized changes, etc.
• Utilize the new REST API instead of the internal WebSockets API
• Disable the WebSockets API

General Mitigations

• Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
• Locate control system networks and devices behind firewalls and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
• Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN71

For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).


ADDITIONAL LINKS

• PN1354 - Industrial Security Advisory Index.
• Industrial Firewalls within a CPwE Architecture
• Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide