Run the CmWAN server only behind a reverse proxy with user authentication to prevent attacks from unauthenticated users. Check if CmWAN is enabled and disable the feature if it is not needed. The CmWAN server is disabled by default.
If it is not possible to disable the network server, using a host-based firewall to restrict access to the CmLAN port can reduce the risk. The network server is disabled by default. With binding to localhost an attack is no longer possible via remote network connection. Run CodeMeter as client only and use localhost as binding for the CodeMeter communication. (This module can be updated by updating DeviceXPlorer OPC Server to Ver.6.4.0.1.)
#KEPSERVEREX V6 EXAMPLE UPDATE#
Measures: Update CodeMeter Runtime to v7.21a. An attacker could send a specially crafted packet that could crash the server or direct the CodeMeter Runtime Network Server to send back packets containing data from the heap. An attacker could send a specially crafted packet to the CodeMeter Runtime CmWAN server to cause a denial-of-service condition.ĬVE-2021-20094(CVSS v3 base score of 9.1 has been calculated the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)) Successful exploitation of these vulnerabilities could allow an attacker to read data from the heap of the CodeMeter Runtime network server, or crash the CodeMeter Runtime Server.(ICSA-21-210-02)Ĭause:Vulnerability due to CodeMeter RuntimeĬVE-2021-20093(CVSS v3 base score of 7.5 has been calculated the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H))
#KEPSERVEREX V6 EXAMPLE LICENSE KEY#
Updated the version of the library (CodeMeterRuntime) from v7.20b to v7.21a used for license key activation. dxp) of Ver.5 or earlier.(target version: between 6.0.0 and 6.4.0)įixed the problem that the value is not written when writing is performed by specifying a unit number other than 0 or 1000 in communication with FP7 series.(target version: between 6.0.0 and 6.4.0)įixed the problem that the item registration(AddItem) is not executed and a communication error occurs even if the reconnection is executed due to a communication error, when multiple devices are assigned to one port. Remove the upper limit of device numbers that can be imported from the KEPServerEX configuration file(CSV format).įixed the problem that communication does not recover when reopening in communication with iQ-R (F) series.(target version: between 6.3.0 and 6.4.0)įixed the problem that the device type assigned to the tag is changed to different device type when opening the project file (*. Malicious packets can read sensitive information in memory or perform denial of service (DoS) attacks.ĪFFECTED PRODUCTS:DeviceXPlorer OPC Server Ver.6 seriesįixed the problem that communication with the device does not occur when IOPCAsyncIO2::Refresh2 is performed from the OPC DA client in the OPC DA server function.įixed the problem that crashes when the diagnostic monitor is operated while the session name is specified by an empty from the OPC UA client and connected in the OPC UA server function.(target version: between 6.0.0 and 6.4.0)įixed the problem that the time information at 0am is not output properly when the argument is not specified in the Format function of the time class(COleDateTime) in the script function. Malicious packets can change the behavior of applications running OpenSSL or cause denial of service (DoS) attacks.ĬVE-2021-3712(CVSS SCORE:CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H Base Score: 7.4) Updated the version from 1.02p to 1.1.1l of the OpenSSL library used in the OPC UA server / client function.įixed vulnerabilities that application behavior changes and denial of service (DoS) attacks by malicious attackers.ĬVE-2021-3711(CVSS SCORE:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8)