← Back to home
ICSA-19-043-03  ·  Published 2019-05-14  ·  View on CISA ICS-CERT ↗

WIBU SYSTEMS AG WibuKey Digital Rights Management (Update D)

CVSS 10.0 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities may allow information disclosure, privilege escalation, or remote code execution.

CVEs (3)

Remediations

  • Updated Wibu Systems Software can be found at the following link:
  • https://www.wibu.com/support/user/downloads-user-software.html
  • Siemens has an updated software version for the affected SISHIP products that resolves the vulnerabilities. Users are advised to contact Siemens customer support for details.
  • Siemens has released the following updates for WinCC OA that address the WibuKey vulnerabilities (login required):
  • WinCC OA users can also apply the following general mitigations below to resolve the vulnerabilities.
  • Siemens recommends users upgrade to WibuKey DRM Version 6.50 or newer for all affected Siemens products. Siemens also recommends mitigating CVE-2018-3991 by blocking Port 22347/TCP. For detailed information, see Siemens security advisories SSA-760124, SSA-844562, and SSA-902727 at the following link:
  • http://www.siemens.com/cert/en/cert-security-advisories.htm
  • COPA-DATA recommends users upgrade WibuKey DRM to Version 6.50a or newer, restrict physical and network access, segment network traffic, ensure systems using WibuKey WkLAN Server are not external facing, and apply application whitelisting. For detailed information, see COPA_DATA 's security advisory at the following link:
  • https://www.copadata.com/fileadmin/user_upload/faq/files/CD_SVA_2019_1.pdf
  • Sprecher Automation recommends users upgrade WibuKey DRM to Version 6.50b or newer, restrict physical and network access, segment network traffic, ensure systems using WibuKey WkLAN Server are not external facing, and apply application whitelisting. For detailed information, see Sprecher Automation 's security advisory at the following link:
  • https://www.sprecher-automation.com/fileadmin/kundendaten/teaser/News/2018/SPRECON-V460_Security_Vulnerability_Announcement_2019-01_Issue_1.pdf
  • Phoenix Contact has calculated different CVSS vectors from those in the Vulnerability Overview section. See the Phoenix Contact or CERT@VDE advisory for details.
  • Phoenix Contact recommends those using dongle-based licensing to update to WibuKey Version 6.50 or newer. MEVIEW3 Versions 3.14.25 and 3.15.18 will include Version 6.50 of WibuKey. For those using hardware code-based licensing, Phoenix Contact recommends removing the WibuKey application. For detailed information, the Phoenix Contact MEVIEW3 security advisory can be found at the following link:
  • https://www.phoenixcontact.com/psirt
  • CERT@VDE has also published an advisory for the Phoenix Contact MEVIEW3 at the following link:
  • https://cert.vde.com/de-de/advisories/vde-2019-003

Affected Vendors

WIBU-SYSTEMS AG

Affected Products (9)

WIBU-SYSTEMS AG · Siemens SICAM 230 <= 7.20
WIBU-SYSTEMS AG · Siemens SIMATIC WinCC OA 3.16 < P007
WIBU-SYSTEMS AG · Siemens SISHIP EMCS IMAC IPMS vers:all/*
WIBU-SYSTEMS AG · Sprecher Automation SPRECON-V460 products <= 7.20 (7.50 and 7.60 may also be affected if WibuKey was installed manually)
WIBU-SYSTEMS AG · COPA-DATA straton workbench <= 9.2
WIBU-SYSTEMS AG · Phoenix Contact MEVIEW3 <= 3.14.25 | 3.15.18
WIBU-SYSTEMS AG · Siemens SIMATIC WinCC OA 3.14 < P025
WIBU-SYSTEMS AG · Siemens SIMATIC WinCC OA 3.15 < P018
WIBU-SYSTEMS AG · COPA-DATA zenon products <= 7.20 (7.50 and 7.60 may also be affected if WibuKey was installed manually)

Affected Sectors

Commercial Facilities, Communications, Critical Manufacturing, Energy, Financial Services, Healthcare and Public Health, Transportation Systems

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more