User Documentation
Security Advisory
Weidmüller Interface GmbH & Co. KG
Klingenbergstraße 26
32758 Detmold, Germany
T +49 5231 14-0
F +49 5231 14292083
www.weidmueller.com Page 1 of 2
u-create studio affected by WIBU-SYSTEMS
CodeMeter vulnerabilities
Advisory
Document Identifier:
D1439695
Version:
1.0
Publication Date:
2020-10-12
Reference:
VDE-2020-041
CVE Identifier
CVE-2020-14509, CVE-2020-14519, CVE-2020-16233, CVE-2020-14517, CVE-2020-14515
Severity
10.0 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Products
The following Weidmüller product with the indicated software versions is affected:
Product number
Product name
Software version
2660130000
u-create studio
1.18.b and 1.20.2
Vulnerability Type
Multiple, please see "Impact" for details.
Summary
WIBU-SYSTEMS report multiple vulnerabilities in their CodeMeter Runtime software. As part of the Weidmüller
u-create studio installation the WIBU-SYSTEMS CodeMeter is installed by default. As the u-create studio
installation bundle contains vulnerable versions of WIBU-SYSTEMS CodeMeter, the u-create studio is affected
by a subset of these vulnerabilities. For details refer to “Impact”.
Impact
The stated Weidmüller product is supplied with the WIBU-SYSTEMS CodeMeter Runtime software in version
6.81, which contains the following vulnerabilities:
WIBU Security
Advisory
CVE Number
Description
WIBU-200521-01
CVE-2020-14513
Score: 7.5
not affected (Fixed in 6.81. Weidmueller uses 6.81 at least.)
WIBU-200521-02
CVE-2020-14519
Score: 8.1
CodeMeter Runtime WebSockets API: Missing Origin Validation
WIBU-200521-03
CVE-2020-14509
Score: 10.0
CodeMeter Runtime DoS due to Buffer Access with Incorrect Length
Value
WIBU-200521-04
CVE-2020-14517
Score: 9.4
CodeMeter Runtime API: Inadequate Encryption Strength and
Authentication
WIBU-200521-05
CVE-2020-16233
Score: 7.5
CodeMeter Runtime API: Heap Leak