The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency has issued an advisory relating to critical vulnerabilities in CodeMeter, software used in industrial control systems.

The vulnerabilities, six in total affecting all versions of CodeMeter from 6.90 through 7.10, have been given a collective Common Vulnerability Scoring System score of 10.0, the highest level on the CVSS scale.

CodeMeter, from Wibu-Systems AG, provides piracy and reverse-engineering protection to intelligence device manufacturers, along with licensing services and designed to safeguard users against tampering and attacks from third parties.

Exploiting the vulnerabilities, an attacker could undertake remote attacks to deploy ransomware, shut down systems or even take over critical systems. “Successful exploitation of these vulnerabilities could allow an attacker to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code-execution, read heap data and prevent normal operation of third-party software dependent on the CodeMeter,” the ICS-CERT advisory stated.

Wibu-Systems has released a patch addressing the vulnerabilities but as with all security updates, it requires deployment by users, a process that without fail has issues. Those issues could include an inability to deploy updates or users simply not being aware that they need to.

Mitigation advice from CISA includes updating to the latest version of CodeMeter Runtime, running CodeMeter only as a client, utilizing a new REST API instead of the internet WebSockets API and disabling the WebSocketsAPI.

Lamar Bailey, senior director of security research at enterprise cybersecurity firm Tripwire Inc. told SiliconANGLE that third-party code is both a blessing and a curse.

“The curse comes from updates,” he said. “These components must be monitored for updates and security issues, all too often vendors let third-party components get stale and this opens the end users to a lot of risk. Industrial customers are often hit the hardest because taking systems offline to patch or update costs money and needs to be scheduled. Every organization should have a process in place to do regular updates and respond to security emergencies like this one.”

Image: Wibu-Systems