License to Kill: Leveraging License Management to Attack ICS Networks

Claroty researchers have found six vulnerabilities in Wibu-Systems AG’s CodeMeter product, a solution widely used in the ICS domain as a license-management and antipiracy tool. The vulnerabilities collectively earned the highest criticality CVSS score of 10.0, and can be exploited in denial-of-service attacks, or to achieve remote code execution.

Wibu-Systems’ CodeMeter is used in critical industrial applications in markets such as pharmaceuticals, automotive, manufacturing, and more. CodeMeter is a third-party component in software deployed by many of the leading ICS vendors.

Any ICS device or software application protected by a vulnerable version of CodeMeter would be at risk of device or process shutdown, malware infections including ransomware, or exploits being delivered for additional vulnerabilities.

Significant weaknesses were identified in CodeMeter’s encryption schemes; encryption is a core feature of the flagship Wibu-Systems product and is used to defend against tampering, reverse-engineering, piracy, and more.

Researchers also found vulnerabilities in the CodeMeter licensing scheme that could be used to bypass the digital signatures protecting the product and allow an attacker to modify existing licenses, or forge valid licenses. These forged licenses may be injected remotely via JavaScript hosted on an attacker-controlled website. Victims may be lured to these sites via phishing or other social engineering attacks.

Claroty researchers also uncovered issues in the encryption protecting the proprietary CodeMeter Protocol that would allow an attacker to remotely communicate with any device running CodeMeter and execute code without authentication.

Claroty researchers developed custom tools during their analysis of CodeMeter, including fuzzers that were used to find additional vulnerabilities in core components of CodeMeter.

Wibu-Systems has patched all of the vulnerabilities in version 7.10 of CodeMeter, and all vendors are urged to update immediately. Claroty researchers have also developed an online utility that will allow users to determine whether their CodeMeter installations are vulnerable.

Read the full report on ICS networks today.