The following list represents the vendors affected by the critical vulnerabilities uncovered by Team82 in Wibu-Systems's CodeMeter license-management component. The list contains vendors that the Industrial Control Systems Computer Emergency Response Team (ICS-CERT) has listed as having been contacted and affected, and those that have published their own advisories. Please find the ICS-CERT advisory here. Wibu-Systems has also published an advisory here.
Team82 has also published a related GitHub page.
For additional resources:
This list will be updated periodically. Vendors wishing to contact Team82 should reach out to secure@claroty.com. Find Claroty's public PGP key here.
--
This list was last updated Feb. 17, 2021.
CWE-284: Improper access control
A network-adjacent authenticated attacker may perform unintended operations
CVSS v3: 5.5
CWE-321: Use of hard-coded cryptographic key
A network-adjacent unauthenticated attacker may log in to SFTP service and obtain and/or manipulate unauthorized files
CVSS v3: 5.4
CWE-522: Insufficiently protected credentials
A network-adjacent unauthenticated attacker may obtain sensitive information such as a username and its password in the address book
CVSS v3: 6.5
CWE-78: OS command injection
A network-adjacent authenticated attacker may execute an arbitrary OS command with root privileges by sending a specially crafted request
CVSS v3: 8.0
CWE-306: MISSING AUTHENTICATION FOR CRITICAL FUNCTION
The affected product is vulnerable to an attacker being able to use commands without providing a password which may allow an attacker to leak information.
Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution, impersonate and send false information, or bypass authentication.
Elvaco has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of affected versions of M-Bus Metering Gateway CMe3100 are invited to contact Elvaco customer support for additional information.
CVSS v3: 7.5
