SECURITY
SECURITY
SECURITY
DHS issues critical vulnerability advisory for CodeMeter ICS software
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency has issued an advisory relating to critical vulnerabilities in CodeMeter, software used in industrial control systems.
The vulnerabilities, six in total affecting all versions of CodeMeter from 6.90 through 7.10, have been given a collective Common Vulnerability Scoring System score of 10.0, the highest level on the CVSS scale.
CodeMeter, from Wibu-Systems AG, provides piracy and reverse-engineering protection to intelligence device manufacturers, along with licensing services and designed to safeguard users against tampering and attacks from third parties.
Exploiting the vulnerabilities, an attacker could undertake remote attacks to deploy ransomware, shut down systems or even take over critical systems. “Successful exploitation of these vulnerabilities could allow an attacker to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code-execution, read heap data and prevent normal operation of third-party software dependent on the CodeMeter,” the ICS-CERT advisory stated.
Wibu-Systems has released a patch addressing the vulnerabilities but as with all security updates, it requires deployment by users, a process that without fail has issues. Those issues could include an inability to deploy updates or users simply not being aware that they need to.
Mitigation advice from CISA includes updating to the latest version of CodeMeter Runtime, running CodeMeter only as a client, utilizing a new REST API instead of the internet WebSockets API and disabling the WebSocketsAPI.
Lamar Bailey, senior director of security research at enterprise cybersecurity firm Tripwire Inc. told SiliconANGLE that third-party code is both a blessing and a curse.
“The curse comes from updates,” he said. “These components must be monitored for updates and security issues, all too often vendors let third-party components get stale and this opens the end users to a lot of risk. Industrial customers are often hit the hardest because taking systems offline to patch or update costs money and needs to be scheduled. Every organization should have a process in place to do regular updates and respond to security emergencies like this one.”
Image: Wibu-Systems
A message from John Furrier, co-founder of SiliconANGLE:
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
