Publication Date: 2021-07-13
Last Update: 2022-02-08
Current Version: V1.3
CVSS v3.1 Base Score: 9.1

Affected Product and Versions Remediation
PSS(R)CAPE:
CAPE 14 installations installed from material dated earlier than 2021-06-16
CAPE 14 installations installed from material dated 2021-06-16 or later are not affected, as they contain a fixed version of CodeMeter Runtime.

If CAPE 14 was initially installed using earlier material, install WIBU Systems CodeMeter Runtime V7.21a or V7.30a manually to fix the issue: Download the package from https://www.psscape.com/codemeter and install it the same way as documented for previous versions in the PSS CAPE 14 Installation Manual. Contact PSS(R)CAPE Support at psscape.support.energy@siemens.com if you need assistance with patching affected systems.
Installations of PSS(R)CAPE are only affected if network access to CodeMeter Runtime is enabled. This is not the default configuration and is not necessary for any functionality in PSS(R)CAPE.
SICAM 230:
All versions
Currently no remediation is planned
Update SICAM 230 to V8.00 or later version. Then update CodeMeter Runtime to V7.21a or V7.30a: Download the package from: https://www.wibu.com/us/support/user/downloads-user-software.html. Install it on SICAM 230 systems according to the procedure documented in chapter 9.2 of the COPA-DATA Security Vulnerability Announcement 2021_1: https://www.copadata.com/fileadmin/user_upload/faq/files/CD_SVA_2021_1.pdf.
SIMATIC Information Server:
All versions >= 2019 SP1 < 2020 Upd1
only affected by CVE-2021-20093
Update SIMATIC PCS neo to V3.1 or later version
To obtain SIMATIC PCS neo V3.1 contact your local support.

Limit remote access to port 22350/tcp on systems where the Codemeter runtime network server is running.
SIMATIC PCS neo:
All versions < V3.1
only affected by CVE-2021-20093
Update to V3.1 or later version
To obtain SIMATIC PCS neo V3.1 contact your local support.

Limit remote access to port 22350/tcp on systems where the Codemeter runtime network server is running.
SIMATIC Process Historian (incl. Process Historian OPC UA Server):
All versions >= 2019 < 2020 Upd1
only affected by CVE-2021-20093
Update SIMATIC PCS neo to V3.1 or later version
To obtain SIMATIC PCS neo V3.1 contact your local support.

Limit remote access to port 22350/tcp on systems where the Codemeter runtime network server is running.
SIMATIC WinCC OA V3.17:
All versions < V3.17 P013
only affected by CVE-2021-20093
Update to V3.17 P013 or later version
https://www.winccoa.com/downloads/category/versions-patches.html

Limit remote access to port 22350/tcp on systems where the Codemeter runtime network server is running (for details refer to the updated security manual of WinCC OA).
SIMATIC WinCC OA V3.18:
All versions < V3.18 P002
only affected by CVE-2021-20093
Update to V3.18 P002 or later version
https://www.winccoa.com/downloads/category/versions-patches.html

Limit remote access to port 22350/tcp on systems where the Codemeter runtime network server is running (for details refer to the updated security manual of WinCC OA).
SIMIT Simulation Platform:
All versions >= V10.0 < V10.3 Upd 1
only affected by CVE-2021-20093
Update to V10.3 Upd1 or later version
Alternatively, install WIBU Systems CodeMeter Runtime V7.21a or V7.30a manually to fix the issue: Download the package from https://www.wibu.com/us/support/user/downloads-user-software.html and follow the installation instructions from WIBU Systems.
https://support.industry.siemens.com/cs/ww/en/view/109800638/
SINEC INS:
All versions < V1.0.1 Update 1
only affected by CVE-2021-20093
Update to V1.0.1 Update 1 or later version

Alternatively, update CodeMeter Runtime to V7.21a: Download the package “CodeMeter User Runtime for Linux, version 7.21a, Driver-only” from the WIBU Systems User Software website. Install it on the system which runs SINEC INS by executing the following command:

“sudo dpkg –force-depends –force-confnew -i codemeter-7.21.4611.501_amd64.deb”
https://support.industry.siemens.com/cs/ww/en/view/109806100/

Limit remote access to port 22350/tcp on systems where the Codemeter runtime network server is running. Note that this is the default configuration, which therefore limits the exploitability to local attacks only.
SINEMA Remote Connect Server:
All versions < V3.0 SP2
only affected by CVE-2021-20093
Update to V3.0 SP2 or later version
https://support.industry.siemens.com/cs/ww/en/view/109793790/

Limit remote access to port 22350/tcp on systems where the Codemeter runtime network server is running. Note that this is the default configuration, which therefore limits the exploitability to local attacks only.

CVSS v3.1 Base Score 9.1
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:P/RL:O/RC:C
CWE: CWE-126: Buffer Over-read

CVSS v3.1 Base Score 7.5
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
CWE: CWE-126: Buffer Over-read

https://www.siemens.com/cert/advisories