CVE-2021-41057
📋 TL;DR
This vulnerability in WIBU CodeMeter Runtime allows local attackers to overwrite arbitrary files via a crafted symbolic link attack. It affects systems running CodeMeter Runtime before version 7.30a, potentially leading to privilege escalation or system compromise. The attack requires local access to the system.
💻 Affected Systems
- WIBU CodeMeter Runtime
📦 What is this software?
Pss Cape by Siemens
Pss E by Siemens
Pss E by Siemens
Pss Odms by Siemens
Sicam 230 by Siemens
Simit by Siemens
⚠️ Risk & Real-World Impact
Worst Case
Privilege escalation to root/system administrator, complete system compromise, or persistent backdoor installation.
Likely Case
Local privilege escalation allowing attackers to gain higher privileges than their current user account.
If Mitigated
Limited impact with proper access controls and monitoring in place.
🎯 Exploit Status
Exploitation requires local access and ability to create symbolic links. No public exploit code is known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.30a and later
Vendor Advisory: https://www.wibu.com/us/support/security-advisories.html
Restart Required: Yes
Instructions:
1. Download CodeMeter Runtime version 7.30a or later from WIBU website. 2. Stop CodeMeter service. 3. Install the updated version. 4. Restart the service/system.
🔧 Temporary Workarounds
Restrict Symbolic Link Creation
allLimit ability to create symbolic links to trusted users only
chmod 700 /usr/bin/ln (Linux)
Set appropriate file permissions on Windows
Disable CodeMeter Service
allTemporarily disable CodeMeter Runtime if not required
systemctl stop codemeter (Linux)
sc stop CodeMeter (Windows)
🧯 If You Can't Patch
- Implement strict access controls to limit who can create symbolic links
- Monitor for unusual file modification activities and symbolic link creation
🔍 How to Verify
Check if Vulnerable:
Check CodeMeter Runtime version using 'cmu --version' or check installed version in control panelCheck Version:
cmu --version (Linux) or check in Windows Programs and FeaturesVerify Fix Applied:
Verify version is 7.30a or higher using version check command📡 Detection & Monitoring
Log Indicators:
- Unexpected file overwrites in CodeMeter directories
- Multiple failed file access attempts
Network Indicators:
- None - local attack only
SIEM Query:
Process creation events for symbolic link utilities (ln, mklink) followed by file modification in CodeMeter paths🔗 References
- https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf
- https://www.wibu.com/us/support/security-advisories.html
- https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf
- https://www.wibu.com/us/support/security-advisories.html
