Software licensing bug percolates pre-auth RCE risk downstream to PLC-land

Another arguably more potent example and one actively exploited in the wild is CVE-2023-46604 – a CVSS 10 RCE vulnerability in Apache ActiveMQ; an open source message broker written in Java.

A critical bug in a software licence management platform from Germany's Wibu Systems, is forcing downstream customers to push patches for the vulnerability – which in some configurations lets an “unauthenticated, remote attacker… achieve RCE and gain full access of the host system.”

The CVSS 9.8 vulnerability was allocated CVE-2023-3935 and disclosed in August 2023. Many downstream consumers of the software have only recently begun to recognise and rectify exposure. Among those affected is Rockwell Automation’s widely used Studio 5000 Logix Designer, which lets users create and monitor Programmable Logic Controller systems.

An anonymous researcher reported Rockwell’s exposure to CISA. The company pushed a fix in late 2023, saying its “FactoryTalk Activation Manager and Studio 5000 Logix Designer uses… products which contain a heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b that allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.”

See also: US agencies tells users to deploy 'independent encryption' across satellite comms. It's not that easy.

Among others affected is a wide range of CAD/CAM software tools from industrial machinery specialist TRUMPF. Germany’s VDE CERT said: “An attacker exploiting the vulnerability in WIBU CodeMeter Runtime in server mode could gain full access to the affected server via network access without any user interaction. Exploiting [it] in non-networked workstation mode could lead to a privilege elevation and full access on this workstation for an already authenticated user (logged in locally to the PC).

Others patching are Leica Microsystems, which provides high-end microscopes, among other products and which pushed a fix in December. 

The series of advisories are a crisp reminder of the extent to which upstream software issues, whether in proprietary or open source software, can percolate downstream and sometimes go unnoticed by other software manufacturers for some time despite their criticality.

Another arguably more potent example (and unlike the above, actively exploited in the wild) critical upstream vulnerability is CVE-2023-46604 – a CVSS 10 RCE vulnerability in Apache ActiveMQ; an open source message broker written in Java.

Among those affected and recently pushing an advisory is Juniper Networks, which says its JSA Series Virtual Appliances are affected by the vulnerability. It says exposure rates as a CVSS 9.8 and has urged swift patching in a December 28, 2023 security advisory.

Numerous other software providers have patched that bug, including Red Hat (RHEL-7 based Middleware Containers were among those vulnerable).

Researchers at Fortinet note that “Technical details and PoC code for CVE-2023-46604 are publicly available, making it easier for attackers to exploit this vulnerability. In recent weeks, Fortiguard Labs has detected numerous threat actors exploiting CVE-2023-46604 to disseminate diverse strains of malware. Our analysis has unveiled the emergence of a newly discovered Golang-based botnet named GoTitan and a .NET program called "PrCtrl Rat," equipped with remote control capabilities.”

See also: The Stack analysed 90,000+ software vulnerabilities: Here's what we learned