User Documentation

Security Advisory

Weidmüller Interface GmbH & Co. KG

Klingenbergstraße 26

32758 Detmold, Germany

T +49 5231 14-0

F +49 5231 14292083

www.weidmueller.com Page 2 of 2

WIBU Security

Advisory

CVE Number

Description

WIBU-200521-06

CVE-2020-14515

Score: 7.4

Improper Signature Verification of CmActLicense update files for

CmActLicense Firm Code

Runtime software for Weidmüller controllers is not affected, because the critical interfaces are disabled.

Solution

•

For an installed u-create studio: Update to the current version 7.10a or newer of the CodeMeter Runtime,

available via the manufacturer's website.

https://www.wibu.com/de/support/anwendersoftware/anwendersoftware.html

•

For a new installation of u-create studio: First install u-create studio, then update to the current version

7.10a or newer of the CodeMeter Runtime available via the manufacturer's

website.

https://www.wibu.com/de/support/anwendersoftware/anwendersoftware.html

Note: An update of the CodeMeter Runtime before installation of u-create studio will cause errors during

installation of u-create studio.

Mitigation

•

Use general security best practices to protect systems from local and network attacks.

•

For versions prior to 7.10a run CodeMeter Runtime as client only and use localhost as binding for the

CodeMeter communication. With binding to localhost an attack is no longer possible via remote network

connection. This is the default configuration.

•

If CodeMeter Runtime is required to run as network server use the CodeMeter License Access

Permissions feature to restrict the usage of CodeMeter API.

For further impact information and risk mitigation, please refer to the official WIBU-SYSTEMS Advisory Website

at https://www.wibu.com/support/security-advisories.html

Reported by

Sharon Brizinov and Tal Keren of Claroty

WIBU-SYSTEMS

Coordinated by CERT@VDE, CISA and BSI

Support

For support please contact Weidmüller at www.weidmueller.com/service.