Company Security
Product Security
Security Services
Security Alerts

Security Alerts

This site informs about the latest security topics and the respective products of Sprecher.

If you have security-related questions or would like to report security issues, please reach out to our Product Security Incident Response Team (PSIRT) via security@­sprecher-automation.com .

 

SPR-2511044

TitleStatic default key material for TLS connections
Datum4 November 2025
RelevanzSPRECON-E: affected
SPRECON-EDIR: not affected
SPRECON-SG: not affected
SPRECON-V460: not affected
CVE-Code

CVE ID: CVE-2025-41744

 

CVSS 3.1 Score: 8.8
CVSS Vektor: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

 

CVSS 4.0 Score: 8.7
CVSS Vektor: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Beschreibung

SPRECON-E devices are delivered with a default certificate for the integrated web server and other services with TLS support. This certificate is identical on all devices and is used exclusively for initial commissioning. If this certificate is not replaced by an individual/customer-specific, unique certificate, this creates a potential security risk. This measure is recommended in the “SPRECON Basic Hardening” guide.

 

Risk and attack scenario: An attacker with access to any SPRECON-E device (or the firmware file) could extract the default certificate, including the private key. With this key material, the attacker would be able to carry out a man-in-the-middle (MITM) attack against any other SPRECON-E device that still uses the default certificate. In the event of a successful MITM attack, the attacker could intercept, decrypt, and, if necessary, manipulate all network traffic between the user and the web server of the SPRECON-E device. This could lead to the compromise of login credentials, the disclosure of sensitive configuration data, or the manipulation of the information displayed to the user.

Referenzsee Details

SPR-2511043

TitleVulnerable encryption of update files
Datum4 November 2025
RelevanzSPRECON-E: affected
SPRECON-EDIR: not affected
SPRECON-SG: not affected
SPRECON-V460: not affected
CVE-Code

CVE ID: CVE-2025-41743

 

CVSS 3.1 Score: 3.3
CVSS Vektor: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

 

CVSS 4.0 Score: 4.0
CVSS Vektor: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Beschreibung

During a security audit, it was discovered that the encryption of firmware images is insufficient. An attacker in possession of such a firmware file could exploit this vulnerability to unpack and analyze the image. This could reveal detailed information about the system architecture and internal workings to the attacker.

 

Important limitation:
The integrity of the system is not directly compromised by this vulnerability. The robust signature verification mechanism of the firmware remains intact and effective. An attacker cannot create modified firmware that will be accepted as valid by the system. Unauthorized code execution or manipulation of the running system is not possible in this way.

Referenzsee Details

SPR-2511042

TitleCritical vulnerability due to the use of static cryptographic keys in system components
Datum4 November 2025
RelevanzSPRECON-E: affected
SPRECON-EDIR: not affected
SPRECON-SG: not affected
SPRECON-V460: not affected
CVE-Code

CVE ID: CVE-2025-41742

 

CVSS 3.1 Score: 9.6
CVSS Vektor: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

 

CVSS 4.0 Score: 8.7
CVSS Vektor: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H

Beschreibung

A security analysis has revealed that static, non-unique cryptographic keys are used in several places. This leads to two potential risks:

 

Possible misidentification of Systems:
A static mechanism for system identification in the maintenance process can be bypassed. This does not affect user-specific authentication, which is performed separately. The main risk is that an already authenticated user could perform maintenance work on the wrong system.

 

Compromise of project files:
The encryption of project, configuration, and maintenance files is based on static key material, which compromises the confidentiality and integrity of this data.

Referenzsee Details

SPR-2511041

TitlePotential vulnerability due to static key material in the backup system
Datum4 November 2025
RelevanzSPRECON-E: affected
SPRECON-EDIR: not affected
SPRECON-SG: not affected
SPRECON-V460: not affected
CVE-Code

CVE ID: CVE-2025-41741

 

CVSS 3.1 Score: 6.7
CVSS Vektor: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

 

CVSS 4.0 Score: 8.7
CVSS Vektor: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Beschreibung

An internal security audit has revealed that the SSM (Sprecher Storage Manager) backup function uses static key material for encrypting and decrypting backup files. This configuration represents a potential vulnerability. An attacker who gains access to this key material could theoretically:

Compromise data: Decrypt stored backups to extract sensitive system information or process data.

Violate the integrity of backups: If backups are manipulated and restored to the system, unauthorized or malicious code could be executed.

Referenzsee Details

SPR-2508251

Titlezenon/SPRECON-V460 Remote Transport Vulnerability
Datum25 August 2025
RelevanzSPRECON-E: not affected
SPRECON-EDIR: not affected
SPRECON-SG: not affected
SPRECON-V460: affected
CVE-CodeCVSS 4.0 Score: 6.9 (Medium)
CVSS Vector: AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Beschreibung

The vulnerability in the Service Engine can only be exploited if a user initiates a deliberate interaction with the Remote Transport Service on an Engineering Studio computer. The Remote Transport Service is used to transfer Engineering Studio project data to a target computer (Service Engine).

The vulnerability allows the Reboot OS functionality of the Remote Transport Service to be used without proper authentication on a target computer, the Service Engine (Runtime). The Reboot OS functionality requires a restart of the target computer. The vulnerability cannot be exploited remotely without first gaining access to the network in which the target computer is located.

At the time of writing, there is no evidence that this vulnerability is being actively exploited.

Referenzsee Details

SPR-2506171

TitlePrivilege Escalation through CodeMeter Installer on Windows
Date17 June 2025
RelevanceSPRECON-E: not affected
SPRECON-EDIR: not affected
SPRECON-SG: not affected
SPRECON-V460: affected
CVE-CodeCVE ID: CVE-2025-47809
CVSS 4.0 Score: 5.4
CVSS Vector: AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Description

The CodeMeter Installer on Windows has a bug that allows under certain circumstances an Escalation of Privileges for an unprivileged account: 
After installation on an Unprivileged Account with UAC using the built-in Administrator account, CodeMeter launches the CodeMeter Control Center with System privileges.

 

Sprecher Automation requires basic security hardening for SPRECON-V460 systems. Before installing any software, the basic hardening must be disabled. After installing the software, the basic hardening must be reactivated. Based on this, the following vulnerability classification was made.

Referencesee Details

SPR-2411261

TitleRADIUS Protocol Spoofing Vulnerability (Blast-RADIUS)
Date26 November 2024
RelevanceSPRECON-E: affected
SPRECON-EDIR: not affected
SPRECON-V460: affected
CVE-CodeCVE ID: CVE-2024-3596
CVSS 3.1 Score: 8.1
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
DescriptionThe RADIUS protocol according to RFC 2865 is vulnerable to forgery attacks by a local attacker who can convert any valid response (Access-Accept, Access-Reject or Access-Challenge) into any other response by performing an attack with a chosen prefix collision against the MD5 Response Authenticator signature. To exploit the vulnerability, the attacker must be in the active data path (man-in-the-middle attack).
Referencesee Details

SPR -2407171

TitleProtection Assignments Roles Escalation
Date17 July 2024
RelevanceSPRECON-E: affected
SPRECON-EDIR: not affected
SPRECON-SG: not affected
SPRECON-V460: not affected
CVE-CodeCVE-ID: CVE-2024-6758
CVSS 3.1 Score: 6.5
CVSS Vektor: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Description

With the use of specially generated HTTP(S) requests, protection assignments with reduced rights can be saved independently of the role assignment.

This requires that access to the web interface has been configured. Direct exploitation of the vulnerability via the web interface is not possible.

Referencesee Details

SPR_SPRECON-V_2023-08

Title Heap buffer overflow in Wibu Systems CodeMeter Runtime can potentially lead to (remote) code execution
Date 23.08.2023 / Update 08 September 2023
Relevance

SPRECON-E: not affected
SPRECON-EDIR: not affected
SPRECON-SG: not affected
SPRECON-Tool: affected
SPRECON-V460: affected
CVE-Code

CVE-ID: 2023-3935
CVSS 3.1 Score: 9.0
CVSS Vektor: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Description

Sprecher Automation has been notified of a vulnerability in the Wibu Systems CodeMeter User Runtime Software that allows code execution via a buffer overflow, which is potentially exploitable over the network depending on the installation. The vulnerability has a CVSS 3.1 score of 9.0.

The CodeMeter User Runtime software is used by SPRECON-V460 for software license protection. The issue has been fixed by Wibu Systems and a new version 7.60c of the CodeMeter User Runtime Software is available which fixes the vulnerability. On existing SPRECON-V460 installations, this runtime can be replaced/updated without having to update/reinstall the V460 system.

Update 8 September 2023
In addition, the CodeMeter User Runtime is also used for licensing with SPRECON-Tools (SPRECON-E Service Program, SPRECON-E Designer, SPRECON-E PLC Designer, SPRECON-E Display Editor), but only if licensing is done via Wibu CodeMeter USB dongle and the SPRECON Licensing Driver Package is installed for this purpose.
Reference see Details

Vulnerability in the SPRECON-V460 software platform

Title Vulnerability in the SPRECON-V460 software platform
Date 31.07.2023
Relevance SPRECON-E: not affected
SPRECON-EDIR: not affected
SPRECON-SG: not affected
SPRECON-V460: affected
CVE-Code CVE-2023-3321 (CVSS 3.1 Base Score 7.0)
CVE-2023-3323  (CVSS 3.1 Base Score 5.9)
CVE-2023-3324  (CVSS 3.1 Base Score 6.3)
Description

Vulnerabilities have been reported in the SPRECON-V460 software platform affecting IIoT Services on Windows (formerly Service Grid) and the Service Engine on Windows.

An attacker who successfully exploits the CVE-2023-3321 vulnerability may cause the Data Hub to load and execute arbitrary code in an elevated context. This assumes that an attacker has access to a Windows machine where the Service Grid components are installed, and no application whitelisting or similar technologies are used to prevent execution of untrusted code. An attacker can place a tailored file containing the code to be executed onto the machine and modify a configuration file for the file of the attacker to be loaded.

An attacker who successfully exploits the CVE-2023-3323 vulnerability may cause the Service Engine to execute code that was not intended to be executed by the project engineer. This assumes an attacker has access to a system with the Engineering Studio, where the Service Engine is started, where the Engineering Studio does not compile or overwrite the Service Engine files and the Service Engine files are created in the default directory.

An attacker who successfully exploits the CVE-2023-3324 vulnerability may cause the Service Engine to deserialize file content using a method that is recognized as insecure, potentially leading to the Service Engine entering an unknown state or potentially causing the Service Engine to execute code.

This assumes that

  • an attacker has access to a machine with the Service Engine,
  • with a project that contains a screen,
  • where the screen contains a WPF element, that is configured to use a .cdwpf created by the 3D configurator tool,
  • where the screen is opened either automatically or during interaction from the user,
  • where the Service Engine files are stored in a directory to which the attacker has write access,
  • where the attacker can construct a specific file in such a way, that the deserialization method used by the .cdwpf can enter an invalid state.
Reference see Details

VULNERABLE FIRMWARE VERIFICATION

Titel VULNERABLE FIRMWARE VERIFICATION
Datum 05.12.2022
Relevanz SPRECON-E-C/-E-P/-E-T3: betroffen
SPRECON-EDIR: nicht betroffen
SPRECON-SG: nicht betroffen
SPRECON-V460: nicht betroffen
CVE-Code  
Beschreibung

A vulnerable firmware verification in the firmware of the SPRECON-E product range has been identified. Through physical access and hardware manipulation, an attacker might be able to bypass hardware-based code verification and thus inject arbitrary code.
Affected Product:

SPRECON-E-C/P/T3 CPU modules of following variants: PU244x

Solution

Sprecher Automation will address this vulnerability by providing firmware updates together with improved boot loaders. We will inform once new firmware is available.

Mitigation

The access vector is bound to physical device access. Hence, it is recommended to emphasize physical security controls. See general recommendations. Besides this, it needs to be taken into account that necessary hardware manipulation to fully exploit this vulnerability requires to put the device out of operation for several time; i.e. device status monitoring as usually applied in substation automation is an important measure to also detect potential attacks.

General Recommendations

Sprecher Automation strongly recommends to emphasize security best practices in critical infrastructures such as e.g. measures according to ISO/IEC 27019. Hence, both network as well as physical access to OT devices need to be restricted to a minimum, while protecting and monitoring all access means. Also, engineering / remote maintenance infrastructure needs to be protected with high security in mind, as potentially sensitive configuration data or maintenance access credentials could be stored there.
Referenz ​​​​​​​see Details

HARDENING NOTIFICATION: SPRECON MAINTENANCE ACCESS WITH HARDCODED CREDENTIALS

Titel HARDENING NOTIFICATION: SPRECON MAINTENANCE ACCESS WITH HARDCODED CREDENTIALS
Datum 05.12.2022
Relevanz SPRECON-E-C/-E-P/-E-T3: betroffen
SPRECON-EDIR: nicht betroffen
SPRECON-SG: nicht betroffen
SPRECON-V460: nicht betroffen
CVE-Code  
Beschreibung

SPRECON-E devices offer the ability to enable maintenance logins; these maintenance logins use static credentials that are only known to limited Sprecher staff but shall only be enabled by the device owner in case of explicit necessity. According to Sprecher's hardening guidelines, these accounts shall be disabled for operation. Disabling can be done via normal configuration access which in turn shall be secured with SPRECON’s RBAC (role-based access control). This information is meant to again put attention to this hardening measure. It is recommended to check if maintenance access is disabled. Additionally, access to devices’ configuration files that are stored on engineering PC systems shall be limited and monitored. Overall, SPRECON hardening guidelines are always recommended to be implemented in case this has not been done so far.

In a coming firmware release, device owners will additionally have the ability to gain more control over these user accounts by not only being able to disable them, but also by setting individual credentials in case their usage is necessary. The maintenance user accounts are equipped with limited privileges and e.g. do not have access to stored keys in the device.


Affected Product:

SPRECON-E CPU modules of following variants:

  • PU243x, PU244x
  • MC33/34
  • SPRECON-EDIR

General Recommendations

Sprecher Automation strongly recommends to emphasize security best practices in critical infrastructures such as e.g. measures according to ISO/IEC 27019. Hence, both network as well as physical access to OT devices need to be restricted to a minimum, while protecting and monitoring all access means. Also, engineering / remote maintenance infrastructure needs to be protected with high security in mind, as potentially sensitive configuration data or maintenance access credentials could be stored there.
Referenz ​​​​​​​see Details

CVE-2021-44228: Vulnerability in Apache log4j

Titel CVE-2021-44228: Vulnerability in Apache log4j
Datum 20 December 2021 (Update: 20 December 2021)
Relevanz SPRECON-E: partly affected (actions recommended, see Update 1,2)
SPRECON-V: not affected
SPRECON-EDIR: not affected
SPRECON-SG: not affected
CVE-Code CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104
Beschreibung

Due to a high number of direct customer requests, we would like to inform that SPRECON products are not affected by the zero day vulnerability CVE-2021-44228 of Apache Log4j library.

 

Update 1: 20.12.2021

The software "SPRECON-E IEC 61850 Mapper" contains a reference to "log4j-core-2.11.0.jar" which might be detected by securiy scans due to CVE-2021-44228, causing respective alarms. The used implementation in our software does not allow exploitation of CVE-2021-44228 remotely or locally, as according to the actual knowledge about CVE-2021-44228 there is no possibility to inject individual/manipulated strings. That's why we still declare our products as not-affected. However, as we noted through numerous customer requests that respective security scans alarmed our software, and also we see that the risk-situation as well as exploit details about CVE-2021-4428 grow rapidly, we recommend the following:

  • the SPRECON-E IEC61850 Mapper software is only necessary for configuration of IEC 61850 communication our SPRECON devices. If IEC 61850 feature is not used, the software should be deleted.
  • the vulnerable "log4j-core-2.11.0.jar" is only contained by versions 2.04 and higher of "SPRECON-E IEC61850 Mapper". If such a version is in use and cannot be deinstalled as it is needed for IEC 61850 configuration, we recommend to preventively apply the workarounds as they do not influence the correct function of the software:
    • set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true as well as delete the JndiLookup.class from the plugin.

We currently work towards updated versions of the Software where the log4j dependency is updated to a patched version.

 

Please also be aware: the "SPRECON-E IEC 61850 Mapper" software is only necessary for configuring IEC 61850 feature on  SPRECON devices. It is not necessary for device operation as well as maintenance. Only during engineering, when creating the device's configuration files for IEC 61850, the software is in use.

 

Update 2: 20.1.2022

The „SPRECON-E Processor Recovery Tool“ contains an older version of Apache log4j: 1.2.15. From version 3.46 of „SPRECON-E Service Program", the "SPRECON-E Processor Recovery Tool“ is shipped with its installer. Exploitation in this log4j version requires both the manipulation of Java runtime configurations, the injection of malicious logs, as well as manipulation of the SPRECON-E Processor Recovery Tool's code. The risk is therefore considered to be low.
An update is already available together with SPRECON-E Service Program 3.55 SP1. Anyway,  the SPRECON-E Processor Recovery Tool can be deleted by the users as it is not necessary for engineering or operation of SPRECON installations.
Reference https://jfrog.com/blog/log4shell-0-day-vulnerability-all-you-need-to-know/

Security Advisory, Configuration-File Input Validation Vulnerability

Titel Security Advisory, Configuration-File Input Validation Vulnerability
Datum 14 October 2020
Relevanz SPRECON-E: affected, not critical
SPRECON-V: not affected
CVE-Code CVE-2020-11496
Beschreibung

With reference to the article published on April 3, 2020, with the title: "Risk assessment of saved SPRECON-E configuration data", security improvements were announced for the SPRECON-E control firmware version 8.64b. Sprecher Automation would like to announce this advisory and declare the missing security improvement in the previous versions as a vulnerability with CVE-2020-11496. Thanks to Gregor Bonney, employee of CyberRange-e at Innogy for the responsible communication and coordination of the publication after the available firmware update 8.64b.


The vulnerability was assessed with a CVSS Base Score of 7.2 and, with an existing official fix, can be assessed with a CVSS Overall Score of 6.7. The composition of the vector can be seen here: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C&version=3.1


Description:
Sprecher SPRECON-E firmware prior to 8.64b might allow local attackers with access to engineering data to insert arbitrary code. This firmware lacks the validation of the input values ​​on the device side, which is provided by the engineering software during parameterisation. Attackers with access to local configuration files can therefore insert malicious commands that are executed after compiling them to valid parameter files (“PDLs”), transferring them to the device, and restarting the device.


Affected:
Devices of the SPRECON-E product family prior to firmware version 8.64b are affected.


Countermeasures:
From firmware 8.64b, an extended input validation is carried out (safe listing), which prevents maliciously injected commands. In addition, a cryptographic signature process was implemented for configuration files, which enables secure special solutions for customers. Sprecher Automation offers an updated version of the firmware, currently 8.64d, for customers through their customer advisors.


Workaround:
For alternative mitigation measures, special reference is made to the article published on April 3, 2020, with the title: "Risk assessment of saved SPRECON-E configuration data".


Classification:
The vulnerability can be classified as "Relevant - Not Critical", since configuration data is usually stored and treated securely by our customers, and their awareness about the sensitivity of this data. Version control before importing a PDL protects against maliciously changed data, and monitoring functions provide information in the event of a malicious restart of the devices on site. If there is a risk that attackers could gain access to stored and actively used configuration data, risk analyzes and appropriate countermeasures should be taken.


Related Links:
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11496

 

Vulnerabilities in Wibu Systems CodeMeter Runtime Software

Title Vulnerabilities in Wibu Systems CodeMeter Runtime Software
Date 10 September 2020
Relevance SPRECON-E: not affected
SPRECON-V: affected
CVE-Code CVE-2020-14513, 14519, 14509, 14517, 16233, und 14515.
Description

Sprecher Automation informs about detailing several severe and also critical security vulnerabilities in different versions of the Wibu Systems CodeMeter User Runtime software.

The CodeMeter User Runtime Software is used by SPRECON-V460 for its software license protection.
The issues were addressed by Wibu Systems and a new version 7.10 was made available by Wibu Systems, in which these issues were resolved.

The CodeMeter User Runtime software is used for dongle and soft licensing by the SPRECON-V460 Editor, SPRECON-V460 Runtime, SPRECON-V460 Analyzer, SPRECON-V460 Web Server, SPRECON-V460 Logic/Straton Runtime and the Logic/Straton Workbench. This software is part of the installation of these software products, even when no dongle license is used.

SPRECON-V460 versions 8.00 and higher exclusively use the CodeMeter User Runtime software from Wibu Systems and are affected by these vulnerabilities.
SPRECON-V460 versions 8.00 and lower may use the CodeMeter User Runtime software from Wibu Systems and might be affected by these vulnerabilities.
The SPRECON-V460 Analyzer exclusively uses the CodeMeter User Runtime software from Wibu Systems and is affected by these issues.

Wibu Systems provides an updated version 7.10 of the CodeMeter User Runtime software, which addresses the reported vulnerabilities.

The “CodeMeter User Runtime for Windows” software can be downloaded via this link:
https://www.wibu.com/support/user/user-software.html
 

For more details, see our vulnerability announcement for SPRECON-V460.

 

Risk Classfication of SPRECON-E Engineering Data

Title Risk Klassfication of SPRECON-E Engineering Data
Date 3 April 2020
Description

Sprecher Automation wants to support our customer in properly estimating the risk that is concerned with engineering data, which shall always be stored in a secure way taking into account proper measures for logical access control.
 

The configuration of SPRECON-E devices is file-based; i.e. SPRECON-E engineering tools are used to create parameter files that are usually stored at MS Windows based engineering machines. A device engineer that properly authenticates at the devices and has write-permission can configure devices by downloading these parameter files via proprietary SPRECON-E engineering tools.

An attacker that gains access to these files at rest (i.e. the office machines that are used for engineering) might change the content of the files by adding malicious commands without the device engineers taking notice. In case the device engineers download the manipulated files, the attacker was successful in bringing malicious commands to the device.
 

Limitation: A user with access to proprietary SPRECON-E engineering tools needs to compile the finally downloadable parameter files (“PDL”) which adds proper checksums to the files so that these get accepted by the devices. In the end, a user has to authenticate at the targeted devices and have proper permissions in order to successfully bring the files to the target.
Mitigation
  • SPRECON-E engineering data as well as device parameter files need to be stored with proper access restrictions in place in order to prevent unauthorized personal from access
  • Before creating PDLs and downloading them to the devices, the configuration data should be checked for any unwanted content
  • Engineering workstations as well as SPRECON devices themselves are suggested to only be operated in closed and properly secured environments as they usually carry sensitive data and operate critical processes.
Workaround Sprecher Automation will add additional security mechanisms to the SPRECON device firmware in order to isolate potentially manipulated commands in parameter files. These mechanisms will be available from SPRECON-E Control Firmware 8.64b upwards.

 

SPRECON-V460 Editor: Uncontrolled Search Path Vulnerability

Titel SPRECON-V460 Editor: Uncontrolled Search Path Vulnerability
Date 12 December 2019
Relevance

SPRECON-E: not affected

SPRECON-V: affected (Editor)
CVE Code CVE-2019-15638
Description

The vulnerability is present on all systems with a vulnerable version of the SPRECON-V460 editor installed. Under specific circumstances the SPRECON-V460 editor may load dll files provided by an attacker from a directory for which no administrator rights are required for writing files and execute code of the attacker in the context of the user that started the SPRECON-V460 editor explicitly open the .wsp6 file from this location. Systems with only the SPRECON-V460 runtime installed, are not affected.

A CVSS v3 base score of 7.8 has been calculated for this vulnerability, which is identified as CVE-2019-15638.

Oatchas are available from version 7.50. Also, it is recommended that .wp6 files must not be executed by default via SPRECON-V460 Editor. Additonal application whitelisting can also be used to mitigate this vulnerability.

 

TCP SACK PANIC: Analysis for SPRECON

Titel TCP SACK PANIC: Analysis for SPRECON
Date 30 June 2019
Relevance

SPRECON-E: partly affected
SPRECON-V: not affected
CVE Code CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Description

Netflix discovered a critical vulnerability based on the combination of TCP Selective Acknowledgement (SACK) and TCP Minimum Segment Size (MSS) in Linux kernels. The sending of specific sequences of TCP SACK packets with low MSS can cause an Integer-Overflow, leading to kernel-panic. Hence, a denial-of-service can be the consequence leasind to potential unavailability of the device.
An analysis for SPRECON-E systems lead to the result, that only FALCON (PU244x) and T3 MC33/34 product series are affected by the following CVEs:

  • CVE-2019-11477 (CVSS 3.0 Base Score 7.5)
  • CVE-2019-11478 (CVSS 3.0 Base Score 7.5)
  • CVE-2019-11479 (CVSS 3.0 Base Score 7.5)
     

Recommendation
By implementing the follwing firewall rule to SPRECON devices, the risk can be mitigated as packets with low MSS will be dropped:
iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP

Additionally, Sprecher Automation is working towards firmware fixes that close this vulnerability directly.

Nevertheless the general recommendation is to operate SPRECON control and protection devices only within isolated process networks, where proper network segmentation is in place. On potential external firewalls that build the zone boundary, similar measures for filtering packets with low MSS should be implemented. By doing so, the risk of this vulnerability can drastically be reduced.

Further details:
https://www.cert.at/warnings/all/20190618.html
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

SPRECON-E: Authenticated path traversal vulnerability

Titel SPRECON-E: Authenticated path traversal vulnerability
Date 31. March 2019
Relevance

SPRECON-E: affected
SPRECON-V: not affected
CVE Code -
Description

The web interface (“SPRECON Webserver”) of the SPRECON components suffers from a path traversal vulnerability. A user which is authenticated on the web interface can download files with the permissions of the webserver (www-data). Files like "/etc/shadow" are not readable for the webserver, this is due to SPRECON’s defence-in-depth architecture.

Limitation:

  • This vulnerability is only available if EDIR function is respectively was in use on the respective device. Also, a potential attacker needs valid authentication credentials (i.e. username + password) for the web interface.

Solution: 

  • Sprecher Automation fixed the vulnerability with firmware version 8.62 (and all subsequent releases). For longterm versions, the releases 8.52g and 8.56f will fix this vulnerability.

Workaround:

  • If access control (RBAC) is activated, it is not possible to exploit this vulnerability without having valid user credentials. It is strongly recommended to always activate user authentication on all configuration interfaces. Also, network segmentation is recommended in order to protect network access to IEDs respectively their interfaces.

 

CVSSv2 Base Score: 2.1
CVSSv3 Base Score: 2.6

More details can be found in the attached advisory.

Acknowledgements:
Thanks to Mr. Erik Huemer from Austrian Energy CERT / CERT.at / NIC.at

Authenticated path traversal Vulnerability

 

Vulnerabilities in Wibu Systems WibuKey Software components

Titel Vulnerabilities in Wibu Systems WibuKey Software components
Date 26 February 2019
Relevance

SPRECON-E: not affected
SPRECON-V: affected
CVE Code -
Description

The WibuKey software is used for dongle licensing by the SPRECON-V460 editor, SPRECON-V460 runtime, SPRECON-V460 web server, SPRECON-V460 logic runtime, straton runtime, SPRECON-V460 logic workbench and the straton workbench, and for some versions is part of the installation of these software products.

SPRECON-V460 versions 8.00 and higher exclusively use the CodeMeter Software from Wibu Systems and are not affected by these vulnerabilities.

The SPRECON-V460 Analyzer exclusively uses the CodeMeter Software from Wibu Systems and is not affected by these issues.

Affected Components:

  • Systems, where the SPRECON-V460 editor, SPRECON-V460 runtime, SPRECON-V460 web server, SPRECON-V460 logic runtime, straton runtime, SPRECON-V460 logic workbench, or straton workbench have been installed, may contain an installation of the WibuKey Runtime software and are potentially affected.
  • Systems, where the WibuKey Runtime software has been installed manually, as a WibuKey Network Server for hosting a WibuKey network dongle, are potentially affected.
  • Systems, that use green WibuKey dongles (centronics parallel interface, USB, other) require the WibuKey Software.
  • Systems, that use silver CodeMeter dongles, use the CodeMeter Runtime software and do not require the WibuKey Software.

Note: The WibuKey Runtime software and / or WibuKey Dongles may also be used by software products from other vendors

Affected Version: 

  • WibuKey Software versions 6.40 and older are affected
  • SPRECON-V460 products versions 7.20 and older are affected
  • SPRECON-V460 products versions 7.50 and 7.60 may be affected if the WibuKey software has been installed manually, to support a WibuKey dongle
  • straton products versions 9.2 and older are affected
     

Patch Availability:

Wibu Systems provides an updated version 6.50b – build 3323 of the WibuKey software that addresses the reported vulnerabilities.
Earlier in December 2018, Wibu Systems provided an updated version 6.50 of the WibuKey software that also addresses the reported vulnerabilities but contains interoperability issues with SPRECON-V460 products and parallel dongles.
The “WibuKey Runtime for Windows” software version 6.50b can be downloaded following this link:

https://www.wibu.com/support/user/downloads-user-software.html

Known Issues:

The version 6.50 build 3307 of the WibuKey Runtime for Windows software has a known issue with parallel WibuKey dongles. On start-up of the SPRECON-V460 editor or the SPRECON-V460 runtime, an error message appears stating “Licensing failed: Function = WkbSelect2() The specified parameter is invalid (4)”. Acknowledging the error allows a normal start of the application with the license intact.

Mitigation:

With versions SPRECON-V460 7.20 and older, the WibuKey Runtime software is installed automatically by the setup procedure, in order to be able to use WibuKey dongles without requiring a manual installation of this software.

When the installed product uses either a CodeMeter Dongle or a soft license, the WibuKey Runtime software is not needed and can be uninstalled through the Windows control panel. Uninstalling the WibuKey Runtime software removes the vulnerabilities.

When the installed product uses a WibuKey Dongle, uninstalling the WibuKey Runtime software removes the vulnerabilities but also fails to start the product with a valid Dongle License. In this case there is no mitigation and the updated version must be installed.

With versions SPRECON-V460 7.50 and 7.60, the WibuKey Runtime software is no longer installed automatically as part of the setup procedure but is delivered together with the installation media. It is therefore possible, that the WibuKey Runtime software has been installed manually at some point but may not, or may no longer, be needed.

General Recommendations:

Sprecher Automation generally recommends restricting local physical access to authorized people only. Network access shall be limit to communication that is absolutely required.

Using VLANs and firewalls to segment network traffic and create zones and conduits, reduces exposure of vulnerable systems and allows access to a WibuKey WkLAN Server to be restricted to only those systems that are in fact using a network dongle. It is recommended that systems hosting a WibuKey WkLAN Server are not facing external networks.

Sprecher Automation further recommends using application whitelisting to restrict execution of applications to only those applications that are required for the operation of the system.
 

 

SPRECON-E Kernel Update

Titel SPRECON-E Kernel Update
Date 7. August 2018
Relevance

SPRECON-E: partly affected
SPRECON-V: not affected
CVE Code -
Description

SPRECON-E: Kernel Update with Firmware 8.59

An update of SPRECON's operating-system-kernel has been finished. This update of the Linux kernel improves the defence-in-depth strategy of SPRECON-E products.
Details can be found in the release-notes of SPRECON-E Control 8.59 firmware.

 

SPRECON-V460: Meltdown / Spectre

Titel SPRECON-V460: Meltdown / Spectrepectre
Date 12 January 2018
Updated 23 February 2018
Relevance

SPRECON-V: partly affected
CVE Code CVE-2017-5753, CVE-2017-5715, etc.
UPDATE 1:

We can confirm that the following updates resolve several issues, caused by the Microsoft Security Update at the beginning of the year 2018.
 

  • KB4074594 resolves KB4056898 - Windows 8.1. for x64-based Systems

  • KB4074594 resolves KB4056895 and KB4056898 - Windows 8.1 and Windows Server 2012 R2 Standard

  • KB4074592 resolves KB4056891 - Windows 10 Version 1703 for x64-based Systems

  • KB4074596 resolves KB4056893 - Windows 10 Version 1507 for x64-based Systems

  • KB4074590 resolves KB4056890 - Windows Server 2016 and Windows 10 Version 1607

  • KB4074593 resolves KB4056896 - Windows Server 2012 Standard

  • KB4074598 resolves KB4056894 - Windows 7 and Windows Server 2008 R2
Description

As already published in public media, several CPU chips from renowned manufacturers (Intel, AMD, etc.) are affected. Meltdown and Spectre use vulnerabilities such as faulty kernel-mappings in order to read arbitrary data from memory and disclose sensitive information.
A potential attacker would need to download malicious software to the system, execute it, and extract the results in order to use these attacks.

As SPRECON-V can be applied on various computer hardware, it depends on the used hardware wether the proper installation is affected or not. For complete mitigation, operation system patches will need to be applied as soon as they can be installed without problems.

! At the moment, it has been recognized that several Microsoft Windows patches lead to problems. It is not recommended to apply these patches directly to the operational system. In case they shall be applied, it is recommended to first create a backup of the systems, and first apply the patches to an equivalent test system and check the functionality after patching. Alternative countermeasures as below can be applied. !

Additional analysis is currently being done. As soon as Microsoft Windows patches can be installed, hence are appoved by Sprecher Automation, this information will be shared.

Affected Products:


Countermeasures:

  • Technical/operational networks must be isolated from public networks

  • All communication means that lead into an operational network need to be monitored

  • HMI-stations within operational networks / stations should be additionally hardened (application whitelisting and/or antivirus software)

  • Enforcement of security monitoring in all areas and networks in order to detect anomalies

  • Strictly apply defence-in-depth in your networks

  • Chip and operating system manufacturers already work towards possible patches

  • Recommendations of respective manufacturers can be considered to be implemented in the affected stations

Microsoft offers tools in order to prove if the hardware is affected: https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

Links:

Meltdown and Spectre,
http://meltdownattack.com

Google Security Blog,
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html

COPADATA
https://www.copadata.com/en/news/news/security-announcement-6943/

 

SPRECON-E: Meltdown / Spectre

Titel SPRECON-E: Meltdown / Spectre
Date 12 January 2018
Relevance

SPRECON-E: partly affected
CVE Code CVE-2017-5753, CVE-2017-5715
Description

As already published in public media, several CPU chips from renowned manufacturers (Intel, AMD, etc.) are affected. One of these affected products is used within SPRECON-E Falcon CPUs (PU244x) on ARM basis. Other SPRECON-E products respectively CPU families are not affected. However, the resulting risk is marginal for SPRECON devices.


Followingly the facts about this:        

  • Meltdown is not relevant to ARM chips, hence, no risk from this attack
  • Regarding Spectre, the variants 1 and 2 according to [1] are relevant. Hence, CVE-2017-5753 and CVE-2017-5715.
  • in order to exploit these vulnerabilities, a potential attacker would need to download malicious software to the device, execute it, and extract the results. Theoretically, this could lead to disclosure of sensitive data, which would compromise the confidentiality of data, but not directly compromise integrity or availability of the device.
  • However, SPRECON realizes a strict defence-in-depth strategy. This means, that there is no way to download arbitrary data on the device and execute downloaded code. Every means to download data onto the device is limited to authentic configuration data within the available engineering-worklfow on SPRECON. Hence, the risk from this vulnerability is minimal.

[1] developer.arm.com/support/security-update


Affected Products:

  • SPRECON-E-C respectively SPRECON-E-P with CPU PU244x


Links:

  • There is no need for action regarding the attacks Meltdown and Spectre.