Siemens reports multiple flaws in PSS SINCAL
Take action: This is not a panic mode issue, since exploit is very limited to local attack. If you are using WibuKey dongles, plan to update them to latest WibuKey Runtime for Windows. The update shouldn't be very painful.
Learn More
Siemens has disclosed two critical vulnerabilities in its PSS SINCAL product when used with WibuKey dongles. Both vulnerabilities, categorized under improper restriction of operations within the bounds of a memory buffer, could lead to serious system compromise, including denial of service and kernel memory corruption.
The WibuKey dongle is a hardware-based licensing solution from Wibu Systems that provides secure software protection by using a physical USB dongle
-
CVE-2024-45181 (CVSS score 9.3) - An improper bounds check in WibuKey64.sys (before v6.70) allows crafted packets to perform arbitrary address writes, potentially causing kernel memory corruption. This flaw could allow an attacker to cause a denial-of-service condition or corrupt kernel memory, leading to further system instability or exploitation.
-
CVE-2024-45182 (CVSS score 9.3) - An improper bounds check in WibuKey64.sys (before v6.70) allows crafted packets to perform arbitrary address reads, leading to denial-of-service conditions. This vulnerability could allow an attacker to disrupt system functionality through denial of service.
Successful exploitation of these vulnerabilities could enable attackers to either corrupt memory (potentially leading to further exploitation) or render affected systems inoperative through denial-of-service attacks. Both flaws present a serious risk to systems using WibuKey dongles for licensing or protection purposes.
These flaws affect all versions of PSS SINCAL when used with WibuKey dongles.
WIBU Systems has released an updated version of the WibuKey Runtime for Windows, version 6.70, which addresses these vulnerabilities. Siemens strongly recommends updating to this version or later on any affected Windows client installations that use WibuKey dongles. The update is available here.
At this time, no public exploitation targeting these vulnerabilities has been reported. These vulnerabilities are not remotely exploitable, limiting the risk of remote attack.
