CVE-2023-3935

Q: What is the severity of CVE-2023-3935?

CVE-2023-3935 has a CVSS score of 9.8 (CRITICAL). CVE-2023-3935 is a critical heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service that allows unauthenticated remote attackers to execute arbitrary code and gain full control of affected systems. This affects all systems running CodeMeter Runtime versions up to 7.60b with the network service enabled. The vulnerability is network-accessible and requires no authentication.

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

CVE-2023-3935 is a critical heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service that allows unauthenticated remote attackers to execute arbitrary code and gain full control of affected systems. This affects all systems running CodeMeter Runtime versions up to 7.60b with the network service enabled. The vulnerability is network-accessible and requires no authentication.

💻 Affected Systems

Products:

Wibu CodeMeter Runtime

Versions: All versions up to and including 7.60b

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability affects the CodeMeter network service (CmDongle/CodeMeter.exe). Systems without the network service enabled are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full administrative control, data theft, ransomware deployment, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to system takeover, lateral movement within networks, and deployment of malware or ransomware.

🟢

If Mitigated

Limited impact if network segmentation isolates CodeMeter systems and strict firewall rules prevent external access.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication and affects a network service that may be exposed to the internet.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows unauthenticated attackers to compromise systems and potentially move laterally within networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and has a straightforward exploitation path for remote code execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 7.70 or later

Vendor Advisory: https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/AdvisoryWIBU-230704-01-v3.0.pdf

Restart Required: Yes

Instructions:

1. Download CodeMeter Runtime version 7.70 or later from Wibu Systems website. 2. Stop all CodeMeter services. 3. Install the updated version. 4. Restart the system to ensure all services are running with the patched version.

🔧 Temporary Workarounds

Disable CodeMeter Network Service

all

Disable the vulnerable network service component while maintaining local license functionality

Windows: sc stop CodeMeter.exe
Linux: systemctl stop codemeter

Network Segmentation and Firewall Rules

all

Block external access to CodeMeter network service ports (default TCP 22350, 22351)

Windows Firewall: netsh advfirewall firewall add rule name="Block CodeMeter" dir=in action=block protocol=TCP localport=22350,22351
Linux iptables: iptables -A INPUT -p tcp --dport 22350:22351 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate CodeMeter systems from untrusted networks
Deploy host-based intrusion detection/prevention systems to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check CodeMeter Runtime version and verify if network service is running. Versions ≤7.60b with network service enabled are vulnerable.

Check Version:

Windows: "C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe" --version | Linux: /usr/sbin/CodeMeter --version

Verify Fix Applied:

Verify CodeMeter Runtime version is 7.70 or later and that the network service is either disabled or properly firewalled.

📡 Detection & Monitoring

Log Indicators:

Unusual network connections to CodeMeter ports (22350/22351)
CodeMeter service crashes or unexpected restarts
Unusual process creation from CodeMeter executable

Network Indicators:

Unusual traffic patterns to/from CodeMeter ports
Exploit attempts against port 22350/22351
Unexpected outbound connections from CodeMeter systems

SIEM Query:

source="CodeMeter" AND (event_type="crash" OR event_type="unexpected_restart") OR destination_port IN (22350, 22351) AND source_ip NOT IN (trusted_ips)

📊 Metadata

CVE ID: CVE-2023-3935

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: September 13, 2023

Last Updated: November 21, 2024

🔗 References

https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/AdvisoryWIBU-230704-01-v3.0.pdf Vendor Advisory
https://cert.vde.com/en/advisories/VDE-2023-030/ Third Party Advisory
https://cert.vde.com/en/advisories/VDE-2023-031/ Third Party Advisory
https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/AdvisoryWIBU-230704-01-v3.0.pdf Vendor Advisory
https://cert.vde.com/en/advisories/VDE-2023-030/ Third Party Advisory
https://cert.vde.com/en/advisories/VDE-2023-031/ Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Activation Wizard by Phoenixcontact

Codemeter Runtime by Wibu

E Mobility Charging Suite by Phoenixcontact

Fl Network Manager by Phoenixcontact

Iol Conf by Phoenixcontact

Module Type Package Designer by Phoenixcontact

Module Type Package Designer by Phoenixcontact

Oseon by Trumpf

Plcnext Engineer by Phoenixcontact

Programmingtube by Trumpf

Teczonebend by Trumpf

Tops Unfold by Trumpf

Topscalculation by Trumpf

Trumpflicenseexpert by Trumpf

Trutops by Trumpf

Trutops Cell Classic by Trumpf

Trutops Cell Sw48 by Trumpf

Trutops Mark 3d by Trumpf

Trutopsboost by Trumpf

Trutopsfab by Trumpf

Trutopsfab Storage Smallstore by Trumpf

Trutopsprint by Trumpf

Trutopsprintmultilaserassistant by Trumpf

Trutopsweld by Trumpf

Tubedesign by Trumpf