Contact & Support

Product Security Updates

28.09.2020

IMPORTANT SECURITY NOTICE 

Vulnerabilities in Image Acquisition software

Regarding security for the following Imaging Software and Products:

  • LAS X versions for Confocal, Widefield, and Industry
  • LAS AF
  • LMD 
  • PAULA

Security Advisory - Temporary solution: Configuration change (blocking the TCP port 22350) of the firewall.

Description of the Problem and potential Risk

The software vendor WIBU Systems disclosed vulnerabilities in their product CodeMeter. This product is widely used in the industry for license management and is also embedded in Image acquisition software from Leica Microsystems (in product lines LAS X , LAS AF, PAULA, LMD). The ability to exploit the vulnerability is limited to computers connected to a network. In a worst-case scenario, an attacker could cause a denial-of-service condition and attain remote code execution.

What can you do immediately to ensure a secure operation of your Imaging software?

To protect your valuable image data and your system, a port in the firewall (TCP port 22350) has to be blocked for the time being.  We strongly recommend that systems on which LAS X, LAS AF, LMD, or PAULA have been set up are not operated within a network, before the change of setting in the firewall configuration is applied. Further below you will find detailed instructions on how to change the firewall settings. Once the change in setting is done, you can reconnect to the network. Please do not accept any certificates and licenses from untrusted sources and prevent visiting potentially malicious websites.

Please note that the vulnerability is independent of whether the imaging software is started or not, as the affected components are booted up with the operating system.

What will be the next steps from Leica Microsystems?

At Leica Microsystems, we are working on software releases for all affected products mentioned above that will permanently eliminate the vulnerability discovered in the license component. We are fully committed to delivering solutions that will allow you to safely and securely operate our imaging software within network setups. We will inform you via the product security pages on our website as soon as an update about the solutions is in place. 

For an immediate, but temporary solution, please follow the instructions below. If you have additional questions, you can also contact your Leica technical support

Advice for Immediate Action – a temporary solution to prevent this security risk:

Configuration change (block of TCP port 22350) in the firewall

As a short-term fix to prevent more severe scenarios and stop attackers from exploiting this vulnerability, the TCP port 22350 needs to be blocked in the network communication. It can be done either in your local Windows system (instructions for LAS-X and PAULA and instructions for LMD instruments) or in your organization’s broad firewall system. Please contact your IT admin for support to block the TCP port 22350. Once this port is blocked, you can continue working with your imaging software. The activation of licenses might be blocked by this temporary solution, please use the file-based activation via e-mail.

We will inform you when a new software version is available from Leica Microsystems that solves the issue.

Please do not accept any certificates and licenses from untrusted sources and prevent visiting potential malicious websites.

FAQs

Q: Is there a guide on how to block the TCP port 22350 in Windows 7?

A: Please use the following guidelines for Windows 7 based systems: Windows 7 Work Instructions.

Q: To block the TCP port 22350, I need an admin password for my Windows PC. What is the password for the admin account? 

A: Please contact your local IT department. In case the PC was delivered by Leica Microsystems as part of a system solution, please contact technical service via the Service portal.

Q: I assume that the vulnerability is with your application software only, but because we use the Leica SDK hardware, I would like to know whether it is also affected?

A: This issue does not affect the Leica SDK hardware for developers nor the Hardware Configurator, because they do not install and do not use the vulnerable component.

Q: Does the current security issue also affect the free LASX offline packages?

A: Yes, this affects also the free LASX offline packages.

Q: I want to solve this issue myself ASAP and noticed that WIBU provides the latest CodeMeter version on their web page. Can I update the CodeMeter software to the latest version to fix the security issue myself?

A: No, you need to install the next released software version from Leica Microsystems to solve this security issue. The release will be communicated on our webpage.

More information

For more details regarding the vulnerabilities in CodeMeter Runtime refer to: