Security researchers have discovered six critical vulnerabilities in third-party code which could expose countless operational technology (OT) environments to remote code execution attacks.
A team at Claroty found the bugs in Wibu-Systems’ CodeMeter software license management offering, widely used by many leading vendors of industrial control system (ICS) products.
They have been given a collective CVSS score by the ICS-CERT of 10.0, representing the highest level of criticality.
“Successful exploitation of these vulnerabilities could allow an attacker to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code execution, read heap data and prevent normal operation of third-party software dependent on the CodeMeter,” the US Cybersecurity and Infrastructure Security Agency (CISA) noted.
Attackers could phish their targets, socially engineering them into visiting a malicious site under their control to inject a malicious license onto the victim machine. Or they could exploit one of the bugs to create and inject forged licenses onto a machine running CodeMeter, Claroty said.
The firm claimed the worst of the bugs allow attackers to compromise the CodeMeter communication protocol and internal API, allowing them to send commands to any machine running the code.
This could enable complete remote takeover, allowing attackers to install ransomware or other exploits and/or crash programmable logic controllers (PLCs) because of the malicious license.
Mitigating the threat is made more difficult by virtue of the fact that many OT managers may not know a vulnerable version of CodeMeter is running. Claroty recommended scanning for the product, blocking TCP port 22350 and contacting ICS vendors to check if they can manually upgrade the third-party component of CodeMeter.
A report from Claroty last month claimed that over 70% of ICS vulnerabilities disclosed in the first half of the year can be remotely exploited.