The following list represents the vendors affected by the critical vulnerabilities uncovered by Team82 in Wibu-Systems's CodeMeter license-management component. The list contains vendors that the Industrial Control Systems Computer Emergency Response Team (ICS-CERT) has listed as having been contacted and affected, and those that have published their own advisories. Please find the ICS-CERT advisory here. Wibu-Systems has also published an advisory here.
Team82 has also published a related GitHub page.
For additional resources:
This list will be updated periodically. Vendors wishing to contact Team82 should reach out to secure@claroty.com. Find Claroty's public PGP key here.
--
This list was last updated Feb. 17, 2021.
CWE-79 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING')
The affected product is vulnerable to a reflected cross-site scripting vulnerability, which could allow a remote attacker to execute arbitrary JavaScript on the victim's browser.
Zenitel recommends users to upgrade to Version 9.3.3.0 or later.
CVSS v3: 9.8
CWE-787 OUT-OF-BOUNDS WRITE
The affected product is vulnerable to an out-of-bounds write vulnerability, which could allow a remote attacker to crash the device.
Zenitel recommends users to upgrade to Version 9.3.3.0 or later
CVSS v3: 7.6
CWE-78 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION')
An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Validation fails to enforce sufficient formatting rules, which could permit attackers to append arbitrary data. This could allow an unauthenticated attacker to inject arbitrary commands.
Zenitel recommends users to upgrade to Version 9.3.3.0 or later
CVSS v3: 9.8
CWE-78 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION')
An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters that are later incorporated into OS commands without adequate validation. This could allow an unauthenticated attacker to execute arbitrary commands remotely.
Zenitel recommends users to upgrade to Version 9.3.3.0 or later.
CVSS v3: 9.8
CWE-78 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION')
An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input without verifying it is a valid IP address or filtering potentially malicious characters. This could allow an unauthenticated attacker to inject arbitrary commands.
Zenitel recommends users to upgrade to Version 9.3.3.0 or later
CVSS v3: 9.8
