Loading

FactoryTalk® Activation Contains Wibu CodeMeter Vulnerabilities

Severity:
High,
Critical
Advisory ID:
SD1657
Published Date:
November 15, 2023
Last Updated:
November 19, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2023-38545,
CVE-2023-3935
Downloads
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
JSON
JSON
Summary
FactoryTalk® Activation Contains Wibu CodeMeter Vulnerabilities

Published Date: November 14, 2023

Last updated: November 14, 2023

Revision Number: 1.0

CVSS Score: 7.8

AFFECTED PRODUCTS AND SOLUTION

Affected Product (automated)

First Known in Software Version

Corrected in Software Version

FactoryTalk Activation Manager

V4.00 (Utilizes Wibu-Systems CodeMeter <7.60c)

5.01

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-38545 IMPACT

Rockwell Automation FactoryTalk Activation Manager and Studio 5000 Logix Designer uses the affected Wibu-Systems’ products which internally use the libcurl in a version that is vulnerable to a buffer overflow attack if curl is configured to redirect traffic through a SOCKS5 proxy. A malicious proxy can exploit a bug in the implemented handshake to cause a buffer overflow. If no SOCKS5 proxy has been configured, there is no attack surface.

CVSS Base Score: 7.9

CVSS Vector: CVSS:3.1/ AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database: No

CVE-2023-3935 IMPACT

Rockwell Automation FactoryTalk Activation Manager and Studio 5000 Logix Designer uses the affected Wibu-Systems’ products which contain a heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b that allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

  • Upgrade to FactoryTalk Activation Manager 5.01 which has been patched to mitigate these issues (Available versions here, search "activation")
  • For information on how to mitigate Security Risks on industrial automation control systems Additionally, we encourage the customer to implement our suggested security best practices to minimize risk of the vulnerability.

ADDITIONAL RESOURCES

Copyright ©2022 Rockwell Automation, Inc.