Subscribe now to stay up to date on the latest Leica product data security vulnerabilities and privacy issues
December 2023 - Security vulnerability in licensing component used by Leica Microsystems software
Description of the Problem and Potential Risk
Software vendor, Wibu-Systems, has disclosed vulnerabilities in its CodeMeter product (CVE-2023-3935). This product is widely used in the industry for license management and is also embedded in image acquisition software from Leica Microsystems (see detailed list below). The ability to exploit this vulnerability is limited to computers that are connected to a network. The flaw can be exploited by a remote, unauthenticated attacker for arbitrary code execution if CodeMeter Runtime is configured as a server. If CodeMeter Runtime is configured as a client, the bug can allow an authenticated local attacker to escalate privileges to root on the PC where the acquisition software is installed.
Remediation
Wibu-Systems recommends in their Security Advisory WIBU-230704-01-v3.1 to install CodeMeter Runtime version 7.60d. Updating CodeMeter to Version 7.60d has been tested with the Leica Microsystems software versions listed below and the installer is available from the Leica Microsystems download page .
When installing CodeMeter Runtime 7.60d, follow the instructions and keep the default settings to ensure a smooth experience.
Leica Microsystems recommends updating to versions higher than mentioned above, as these will use versions of CodeMeter that include the security patch for this vulnerability.
More information
For more details regarding the vulnerabilities in CodeMeter Runtime, please refer to:
- Official Common Vulnerabilities and Exposures (CVE) record
- Wibu-Systems Security Advisories
- Wibu-Systems CodeMeter Runtime 7.60d (download from Leica Microsystems)
List of affected versions and solution descriptions
LAS X |
|
|
Version | System | Solution Description |
3.0.14-3.0.15 | Industry System | Update CodeMeter to 7.60d |
3.5.7-3.5.9 | Confocal LifeScience System (SP8) | Update CodeMeter to 7.60d |
3.6.1 | Widefield LifeScience System (support for older hardware) | Update CodeMeter to 7.60d |
3.7.3-3.9.0 | Widefield LifeScience System | Update CodeMeter to 7.60d |
4.1.1-4.6.1 | Confocal LifeScience System | Update CodeMeter to 7.60d |
5.0.0-5.2.1 | Industry System | Update CodeMeter to 7.60d |
6.0.0-6.2.1 | Widefield LifeScience System (Mica) | Update CodeMeter to 7.60d |
All previous versions | All | |
LMD |
|
|
Version | System | Solution Description |
8.2.3-8.3.1 |
| Update CodeMeter to 7.60d |
Paula |
|
|
Version | System | Solution Description |
1.2.4.27070 |
| Update CodeMeter to 7.60d |
1.2.2.26319 |
| Update CodeMeter to 7.60d |
EXALTA |
|
|
Version | System | Solution Description |
All |
| Update CodeMeter to 7.60d |
Higher versions of imaging software by Leica Microsystems than those listed above that have been or will be released include versions of CodeMeter that include the security patch.
17.03.2022 - PTC Axeda Agent Vulnerability
We are aware of the recently disclosed PTC Axeda agent vulnerabilities (CVE-2022-25247, 25248, 25249, 25250, 25251). We are actively monitoring this serious issue, and we are working to assess any products or services provided by Leica Microsystems that are either directly or indirectly affected by this vulnerability.
At the current time, we have identified SPE, SP5, SP8 and SCN400 as potentially affected. Furthermore, this only affects instruments:
- having currently any network connection, including restricted connections, and
- running pre-2021 version of Axeda RemoteCare.
This software is no longer being used by Leica Microsystems. LMS has retired the software on December 31, 2020.
There are several mitigation options:
- Contact your IT Department to restrict network access to the instrument,
- Contact Leica Service to uninstall Axeda software from your instrument @ @iot@leicams.com
- For additional mitigation please visit: https://www.cisa.gov/uscert/ics/advisories/icsa-22-067-01
For more information, please review:
https://www.ptc.com/en/support/article/CS363561
https://www.cisa.gov/uscert/ics/advisories/icsa-22-067-01 .
Also, we strongly encourage all customers to register their equipment to receive email notifications in the future.
24.01.2022 - Apache Log4j - Security notice for users of Leica SP8 workstations (HP Z840 series)
The Apache Foundation has announced security vulnerabilities for Log4j (CVE-2021-44228, CVE-2019-17571). Log4j is widely used across multiple industries for logging PC applications.
Our image acquisition software LAS X is not affected by this thread. However, SP8 workstations from the HP Z840 series come with a pre-installation of the MegaRAID storage manager, a tool which depends on Log4j. The ability to exploit these Log4j vulnerabilities is limited to computers connected to an unprotected network. In a worst-case scenario, an attacker could cause a denial-of-service condition and attain remote code execution.
What can you do to ensure a secure operation of your SP8 confocal system?
MegaRAID storage manager is not essential for the proper functioning of your SP8 confocal system but rather “only” a convenience tool for monitoring the internal RAID controller. Accordingly, to protect your valuable image data and your system, you can simply deinstall the MegaRAID storage manager. To do so, follow the instructions. Please note that the vulnerability is independent of whether the imaging software is started or not, as the affected components are booted up with the operating system. When an updated, secure version of the MegaRAID storage manager becomes available from the 3rd-party vendor, we will inform you via the product security page.
11.12.2021 - Apache Log4j Vulnerability
We are aware of the recently disclosed Apache Log4j vulnerability (CVE-2021-44228).
We are actively monitoring this serious issue, and we are working to assess any products or services provided by Leica Microsystems that are either directly or indirectly affected by this vulnerability.
At the current time, we are not aware of any Leica Microsystem products or services that contain this vulnerability.
As we continue to investigate this issue, if we determine that any products or services need mitigation for this vulnerability, then we will work to make such mitigations available as quickly as possible, and we will provide information here describing how these mitigations can be applied.
For more information, please review CVE-2021-44228 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 and the Apache Log4j post https://logging.apache.org/log4j/2.x/index.html.
24.03.2021 - NVIDIA Driver Update Instructions for LAS X Workstations
Vulnerabilities in third-party NVIDIA GPU driver (all versions prior to 461.09) affect certain product lines running on LAS X confocal and LAS X widefield
LAS X confocal and LAS X widefield do not only empower researchers to acquire high-quality data. They also provide state-of-the-art image processing tools, such as LIGHTNING and THUNDER. To guarantee seamless computation for these demanding workloads, LAS X confocal and LAS X widefield leverage powerful graphic cards (GPUs) from NVIDIA.
NVIDIA is continuously evaluating their product security. In this context, they have recently disclosed several vulnerabilities for their GPU drivers (all versions prior to 461.09), warranting timely action for affected workstations. Being offered with an NVIDIA GPU configuration, the following product lines are affected:
- Confocal:
- STELLARIS (all systems running on LAS X confocal <= 4.2.0)
- SP8 (certain systems running on LAS X confocal <= 3.5.7: depending on whether acquisition workstation has an NVIDIA GPU)
- Offline workstations (certain workstations running on LAS X confocal <= 3.5.7 or LAS X confocal <= 4.2.0: depending on whether offline workstation has an NVIDIA GPU)
- Widefield:
- THUNDER Imager (all systems running on LAS X widefield <= 3.7.4)
- All systems with a ‘LAS X Workstation’ or a ‘LAS X Core Workstation’ (running on LAS X widefield <= 3.7.4)
If you are unsure whether your acquisition or offline workstation features an NVIDIA GPU, please refer to the instructions [‘Check if the system is equipped with an NVIDIA graphics card’]. In case your workstation does not have an NVIDIA GPU, there is no need to take any action regarding these disclosed vulnerabilities.
In case your workstation has an NVIDIA GPU, the disclosed vulnerabilities are resolved by installing the patched NVIDIA drivers as described in the instructions. We strongly recommend to all affected LAS X users to follow this guide in order to address all known NVIDIA driver vulnerabilities.
This NVIDIA driver issue is resolved independently from LAS X, i.e., a LAS X patch release is not necessary. Naturally, upcoming LAS X releases for confocal and widefield systems will contain the updated driver by default [461.09 or later], rendering the described procedure for addressing these very vulnerabilities unnecessary.
Finally, we have performed software tests for LAS X 3.5.7 (SP8), LAS X 3.7.4 (widefield), and LAS X 4.2.0 (STELLARIS) to verify the compatibility of the updated NVIDIA driver [461.09] with our respective LAS X software versions.
19.10.2020 - Important Security Notice
Vulnerabilities in Image Acquisition software regarding security for the following Imaging Software and Products:
LAS AF | LMD | PAULA | LAS X versions for Confocal, Widefield, and Industry
Recommendation for Corrective Action
Leica Microsystems strongly recommends checking your current version and ensuring that the system setup is up-to-date using the solutions described below. If you are still using one of the software versions listed, please follow these instructions to update your system as soon as possible. To learn about the technical background of the vulnerability, which will be solved by following these instructions, please see “Description of the Problem and Potential Risk” at the end of this page.
Security Advice – Step by Step Solution Description
- Please select the software that you are using in the tabs below
- Lookup the entry for your version and system in the table and follow the instructions (Note: You can find the version number of your software by selecting ‘About…’ in the ‘Help’ menu)
If you have additional questions, you can also contact your Leica Technical Support. In general, we strongly advise that you do not accept any certificates and licenses from untrusted sources and avoid visiting potential malicious websites.
Version | System | Solution Description |
| 3.0.0 and higher | SP8 | Please contact your Leica Technical Support to implement the update to version 3.5.7. If you do not want to update your software at the moment, please follow the instructions below to block the TCP port 22350. To stop attackers from being able to exploit the vulnerability, the TCP port 22350 needs to be blocked in the network communication. It can be done either in your local Windows system (instructions for LAS X and PAULA and instructions for LMD instruments) or in your organization’s network firewall system. Please contact your IT admin for support to block the TCP port 22350. Once this port is blocked, you can continue working with your imaging software. In case activation of licenses might be blocked, please use the file-based activation via e-mail. |
| Other | All | Solution: Block the TCP port 22350 To stop attackers from being able to exploit the vulnerability, the TCP port 22350 needs to be blocked in the network communication. It can be done either in your local Windows system (instructions for LAS X and PAULA and instructions for LMD instruments) or in your organization’s network firewall system. Please contact your IT admin for support to block the TCP port 22350. Once this port is blocked, you can continue working with your imaging software. In case activation of licenses might be blocked, please use the file-based activation via e-mail. |
Version | System | Solution Description |
| 8.x.x | All | Solution: Update to version 8.2.3 1) To install the new version, first download the zip file from the following link webshare3.leica-microsystems.com/downloads/LMD_8.2.3.7603.zip 2) Unzip the ZIP file on your local computer 3) From the unzipped files start the file Setup.exe (run as administrator) 4) Follow the instructions of the installation program If you have blocked the TCP port 22350 in the network or on your local machine as a temporary protection, you can unblock it now that you have installed the update. |
| 7.x.x | All | Solution: Update to version 8.2.3 Please note that this update is tested only for systems with Windows 10. If you run another version of Windows, please contact your Leica Technical Support for Windows 10 upgrade options. For Windows 10: 1) To install the new version, first download the zip file from the following link webshare3.leica-microsystems.com/downloads/LMD_8.2.3.7603.zip 2) Unzip the ZIP file on your local computer 3) From the unzipped files start the file Setup.exe (run as administrator) 4) Follow the instructions of the installation program If you have blocked the TCP port 22350 in the network or on your local machine as a temporary protection, you can unblock it now that you have installed the update. |
Version | System | Solution Description |
| 1.x.x | All | Solution: Update to version 1.2.3
|
Version | System | Solution Description |
| 1.x.x | Confocal LifeScience System | Please contact your Leica Technical Support to implement the update to version 3.5.7. If you do not want to update your software at the moment, please follow the instructions below to block the TCP port 22350. To stop attackers from being able to exploit the vulnerability, the TCP port 22350 needs to be blocked in the network communication. It can be done either in your local Windows system (instructions for LAS X and PAULA and instructions for LMD instruments) or in your organization’s network firewall system. Please contact your IT admin for support to block the TCP port 22350. Once this port is blocked, you can continue working with your imaging software. In case activation of licenses might be blocked, please use the file-based activation via e-mail. |
| 1.x.x up to 3.0.11 | Industry System | Update to version 3.0.15 This update is tested only for systems with Windows 10. 1) To install the new version, first download the zip file from the following link webshare3.leica-microsystems.com/downloads/LAS_X_3.0.15_23304_Setup.zip 2) Unzip the ZIP file on your local computer 3) From the unzipped files start the file Setup.exe (run as administrator) 4) Follow the instructions of the installation program If you have blocked the TCP port 22350 in the network or on your local machine as a temporary protection, you can unblock it now that you have installed the update. |
| 1.0.0 up to 3.6.0 | Widefield LifeScience System | Solution: Update to version 3.6.1 |
| 2.0.0 | Confocal LifeScience System | Please contact your Leica Technical Support to implement the update to version 3.5.7. If you do not want to update your software at the moment, please follow the instructions below to block the TCP port 22350. To stop attackers from being able to exploit the vulnerability, the TCP port 22350 needs to be blocked in the network communication. It can be done either in your local Windows system (instructions for LAS X and PAULA and instructions for LMD instruments) or in your organization’s network firewall system. Please contact your IT admin for support to block the TCP port 22350. Once this port is blocked, you can continue working with your imaging software. In case activation of licenses might be blocked, please use the file-based activation via e-mail. |
| 2.0.1 or 2.0.2 | Confocal LifeScience System | If you are using advanced modalities such as STED or DIVE, please contact your Leica Technical Support to implement the update to version 3.5.7. If you own a customized solution or you do not want to update your software at the moment, please follow the instructions bewlow to block the TCP port 22350. If you are working with standard confocal only, please follow the instructions below. Update to version 3.5.7 (standard confocal mode operation only) 1) To install the new version, first download the zip file from the following link webshare3.leica-microsystems.com/downloads/LAS_X_3.5.7_23225_Setup.zip 2) Unzip the ZIP file on your local computer 3) From the unzipped files start the file Setup.exe (run as administrator) 4) Follow the instructions of the installation program If you have blocked the TCP port 22350 in the network or on your local machine as a temporary protection, you can unblock it now that you have installed the update. instructions below to block the TCP port 22350. To stop attackers from being able to exploit the vulnerability, the TCP port 22350 needs to be blocked in the network communication. It can be done either in your local Windows system (instructions for LAS X and PAULA and instructions for LMD instruments) or in your organization’s network firewall system. Please contact your IT admin for support to block the TCP port 22350. Once this port is blocked, you can continue working with your imaging software. In case activation of licenses might be blocked, please use the file-based activation via e-mail. |
| 3.0.12 up to 3.0.13 | Industry System | Solution: Update to version 3.0.14 1) To install the new version, first download the zip file from the following link webshare3.leica-microsystems.com/downloads/LAS_X_3.0.14_23224_Setup.zip 2) Unzip the ZIP file on your local computer 3) From the unzipped files start the file Setup.exe (run as administrator) 4) Follow the instructions of the installation program If you have blocked the TCP port 22350 in the network or on your local machine as a temporary protection, you can unblock it now that you have installed the update. |
| 3.1.0 | Confocal LifeScience System | If you are using advanced modalities such as STED or DIVE, please contact your Leica Technical Support to implement the update to version 3.5.7. If you own a customized solution or you do not want to update your software at the moment, please follow the instructions bewlow to block the TCP port 22350. If you are working with standard confocal only, please follow the instructions below. Update to version 3.5.7 (standard confocal mode operation only) 1) To install the new version, first download the zip file from the following link webshare3.leica-microsystems.com/downloads/LAS_X_3.5.7_23225_Setup.zip 2) Unzip the ZIP file on your local computer 3) From the unzipped files start the file Setup.exe (run as administrator) 4) Follow the instructions of the installation program If you have blocked the TCP port 22350 in the network or on your local machine as a temporary protection, you can unblock it now that you have installed the update. instructions below to block the TCP port 22350. To stop attackers from being able to exploit the vulnerability, the TCP port 22350 needs to be blocked in the network communication. It can be done either in your local Windows system (instructions for LAS X and PAULA and instructions for LMD instruments) or in your organization’s network firewall system. Please contact your IT admin for support to block the TCP port 22350. Once this port is blocked, you can continue working with your imaging software. In case activation of licenses might be blocked, please use the file-based activation via e-mail. |
| 3.1.1 | Confocal LifeScience System | If you are using advanced modalities such as STED or DIVE, please contact your Leica Technical Support to implement the update to version 3.5.7. If you own a customized solution or you do not want to update your software at the moment, please follow the instructions bewlow to block the TCP port 22350. If you are working with standard confocal only, please follow the instructions below. Update to version 3.5.7 (standard confocal mode operation only) 1) To install the new version, first download the zip file from the following link webshare3.leica-microsystems.com/downloads/LAS_X_3.5.7_23225_Setup.zip 2) Unzip the ZIP file on your local computer 3) From the unzipped files start the file Setup.exe (run as administrator) 4) Follow the instructions of the installation program If you have blocked the TCP port 22350 in the network or on your local machine as a temporary protection, you can unblock it now that you have installed the update. instructions below to block the TCP port 22350. To stop attackers from being able to exploit the vulnerability, the TCP port 22350 needs to be blocked in the network communication. It can be done either in your local Windows system (instructions for LAS X and PAULA and instructions for LMD instruments) or in your organization’s network firewall system. Please contact your IT admin for support to block the TCP port 22350. Once this port is blocked, you can continue working with your imaging software. In case activation of licenses might be blocked, please use the file-based activation via e-mail. |
| 3.1.2 | Confocal LifeScience System | Solution: Update to version 3.5.7 1) To install the new version, first download the zip file from the following link webshare3.leica-microsystems.com/downloads/LAS_X_3.5.7_23225_Setup.zip 2) Unzip the ZIP file on your local computer 3) From the unzipped files start the file Setup.exe (run as administrator) 4) Follow the instructions of the installation program If you have blocked the TCP port 22350 in the network or on your local machine as a temporary protection, you can unblock it now that you have installed the update. |
| 3.1.5 | Confocal LifeScience System | If you are using advanced modalities such as STED or DIVE, please contact your Leica Technical Support to implement the update to version 3.5.7. If you own a customized solution or you do not want to update your software at the moment, please follow the instructions bewlow to block the TCP port 22350. If you are working with standard confocal only, please follow the instructions below. Update to version 3.5.7 (standard confocal mode operation only) 1) To install the new version, first download the zip file from the following link webshare3.leica-microsystems.com/downloads/LAS_X_3.5.7_23225_Setup.zip 2) Unzip the ZIP file on your local computer 3) From the unzipped files start the file Setup.exe (run as administrator) 4) Follow the instructions of the installation program If you have blocked the TCP port 22350 in the network or on your local machine as a temporary protection, you can unblock it now that you have installed the update. instructions below to block the TCP port 22350. To stop attackers from being able to exploit the vulnerability, the TCP port 22350 needs to be blocked in the network communication. It can be done either in your local Windows system (instructions for LAS X and PAULA and instructions for LMD instruments) or in your organization’s network firewall system. Please contact your IT admin for support to block the TCP port 22350. Once this port is blocked, you can continue working with your imaging software. In case activation of licenses might be blocked, please use the file-based activation via e-mail. |
| 3.4.0 | Confocal LifeScience System | If you are using advanced modalities such as STED or DIVE, please contact your Leica Technical Support to implement the update to version 3.5.7. If you own a customized solution or you do not want to update your software at the moment, please follow the instructions bewlow to block the TCP port 22350. If you are working with standard confocal only, please follow the instructions below. Update to version 3.5.7 (standard confocal mode operation only) 1) To install the new version, first download the zip file from the following link webshare3.leica-microsystems.com/downloads/LAS_X_3.5.7_23225_Setup.zip 2) Unzip the ZIP file on your local computer 3) From the unzipped files start the file Setup.exe (run as administrator) 4) Follow the instructions of the installation program If you have blocked the TCP port 22350 in the network or on your local machine as a temporary protection, you can unblock it now that you have installed the update. instructions below to block the TCP port 22350. To stop attackers from being able to exploit the vulnerability, the TCP port 22350 needs to be blocked in the network communication. It can be done either in your local Windows system (instructions for LAS X and PAULA and instructions for LMD instruments) or in your organization’s network firewall system. Please contact your IT admin for support to block the TCP port 22350. Once this port is blocked, you can continue working with your imaging software. In case activation of licenses might be blocked, please use the file-based activation via e-mail. |
| 3.5.0 | Confocal LifeScience System | If you are using advanced modalities such as STED or DIVE, please contact your Leica Technical Support to implement the update to version 3.5.7. If you own a customized solution or you do not want to update your software at the moment, please follow the instructions bewlow to block the TCP port 22350. If you are working with standard confocal only, please follow the instructions below. Update to version 3.5.7 (standard confocal mode operation only) 1) To install the new version, first download the zip file from the following link webshare3.leica-microsystems.com/downloads/LAS_X_3.5.7_23225_Setup.zip 2) Unzip the ZIP file on your local computer 3) From the unzipped files start the file Setup.exe (run as administrator) 4) Follow the instructions of the installation program If you have blocked the TCP port 22350 in the network or on your local machine as a temporary protection, you can unblock it now that you have installed the update. instructions below to block the TCP port 22350. To stop attackers from being able to exploit the vulnerability, the TCP port 22350 needs to be blocked in the network communication. It can be done either in your local Windows system (instructions for LAS X and PAULA and instructions for LMD instruments) or in your organization’s network firewall system. Please contact your IT admin for support to block the TCP port 22350. Once this port is blocked, you can continue working with your imaging software. In case activation of licenses might be blocked, please use the file-based activation via e-mail. |
| 3.5.1 | Confocal LifeScience System | If you are using advanced modalities such as STED or DIVE, please contact your Leica Technical Support to implement the update to version 3.5.7. If you own a customized solution or you do not want to update your software at the moment, please follow the instructions bewlow to block the TCP port 22350. If you are working with standard confocal only, please follow the instructions below. Update to version 3.5.7 (standard confocal mode operation only) 1) To install the new version, first download the zip file from the following link webshare3.leica-microsystems.com/downloads/LAS_X_3.5.7_23225_Setup.zip 2) Unzip the ZIP file on your local computer 3) From the unzipped files start the file Setup.exe (run as administrator) 4) Follow the instructions of the installation program If you have blocked the TCP port 22350 in the network or on your local machine as a temporary protection, you can unblock it now that you have installed the update. instructions below to block the TCP port 22350. To stop attackers from being able to exploit the vulnerability, the TCP port 22350 needs to be blocked in the network communication. It can be done either in your local Windows system (instructions for LAS X and PAULA and instructions for LMD instruments) or in your organization’s network firewall system. Please contact your IT admin for support to block the TCP port 22350. Once this port is blocked, you can continue working with your imaging software. In case activation of licenses might be blocked, please use the file-based activation via e-mail. |
| 3.5.2 | Confocal LifeScience System | If you are using advanced modalities such as STED or DIVE, please contact your Leica Technical Support to implement the update to version 3.5.7. If you own a customized solution or you do not want to update your software at the moment, please follow the instructions bewlow to block the TCP port 22350. If you are working with standard confocal only, please follow the instructions below. Update to version 3.5.7 (standard confocal mode operation only) 1) To install the new version, first download the zip file from the following link webshare3.leica-microsystems.com/downloads/LAS_X_3.5.7_23225_Setup.zip 2) Unzip the ZIP file on your local computer 3) From the unzipped files start the file Setup.exe (run as administrator) 4) Follow the instructions of the installation program If you have blocked the TCP port 22350 in the network or on your local machine as a temporary protection, you can unblock it now that you have installed the update. instructions below to block the TCP port 22350. To stop attackers from being able to exploit the vulnerability, the TCP port 22350 needs to be blocked in the network communication. It can be done either in your local Windows system (instructions for LAS X and PAULA and instructions for LMD instruments) or in your organization’s network firewall system. Please contact your IT admin for support to block the TCP port 22350. Once this port is blocked, you can continue working with your imaging software. In case activation of licenses might be blocked, please use the file-based activation via e-mail. |
| 3.5.5 | Confocal LifeScience System | If you are using advanced modalities such as STED or DIVE, please contact your Leica Technical Support to implement the update to version 3.5.7. If you own a customized solution or you do not want to update your software at the moment, please follow the instructions bewlow to block the TCP port 22350. If you are working with standard confocal only, please follow the instructions below. Update to version 3.5.7 (standard confocal mode operation only) 1) To install the new version, first download the zip file from the following link webshare3.leica-microsystems.com/downloads/LAS_X_3.5.7_23225_Setup.zip 2) Unzip the ZIP file on your local computer 3) From the unzipped files start the file Setup.exe (run as administrator) 4) Follow the instructions of the installation program If you have blocked the TCP port 22350 in the network or on your local machine as a temporary protection, you can unblock it now that you have installed the update. instructions below to block the TCP port 22350. To stop attackers from being able to exploit the vulnerability, the TCP port 22350 needs to be blocked in the network communication. It can be done either in your local Windows system (instructions for LAS X and PAULA and instructions for LMD instruments) or in your organization’s network firewall system. Please contact your IT admin for support to block the TCP port 22350. Once this port is blocked, you can continue working with your imaging software. In case activation of licenses might be blocked, please use the file-based activation via e-mail. |
| 3.5.6 | Confocal LifeScience System | If you are using advanced modalities such as STED or DIVE, please contact your Leica Technical Support to implement the update to version 3.5.7. If you own a customized solution or you do not want to update your software at the moment, please follow the instructions bewlow to block the TCP port 22350. If you are working with standard confocal only, please follow the instructions below. Update to version 3.5.7 (standard confocal mode operation only) 1) To install the new version, first download the zip file from the following link webshare3.leica-microsystems.com/downloads/LAS_X_3.5.7_23225_Setup.zip 2) Unzip the ZIP file on your local computer 3) From the unzipped files start the file Setup.exe (run as administrator) 4) Follow the instructions of the installation program If you have blocked the TCP port 22350 in the network or on your local machine as a temporary protection, you can unblock it now that you have installed the update. instructions below to block the TCP port 22350. To stop attackers from being able to exploit the vulnerability, the TCP port 22350 needs to be blocked in the network communication. It can be done either in your local Windows system (instructions for LAS X and PAULA and instructions for LMD instruments) or in your organization’s network firewall system. Please contact your IT admin for support to block the TCP port 22350. Once this port is blocked, you can continue working with your imaging software. In case activation of licenses might be blocked, please use the file-based activation via e-mail. |
| 3.7.0 up to 3.7.2 | Widefield LifeScience System | Solution: Update to version 3.7.3 |
| All Versions | Widefield LifeScience Systems GSD, TIRF-Confical | Solution: Block the TCP port 22350 To stop attackers from being able to exploit the vulnerability, the TCP port 22350 needs to be blocked in the network communication. It can be done either in your local Windows system (instructions for LAS X and PAULA and instructions for LMD instruments) or in your organization’s network firewall system. Please contact your IT admin for support to block the TCP port 22350. Once this port is blocked, you can continue working with your imaging software. In case activation of licenses might be blocked, please use the file-based activation via e-mail. |
| 4.0.1 | Confocal LifeScience System | Solution: Update to version 4.1.1 1) To install the new version, first download the zip file from the following link webshare3.leica-microsystems.com/downloads/LAS_X_4.1.1_23273_Setup.zip 2) Unzip the ZIP file on your local computer 3) From the unzipped files start the file Setup.exe (run as administrator) 4) Follow the instructions of the installation program If you have blocked the TCP port 22350 in the network or on your local machine as a temporary protection, you can unblock it now that you have installed the update. |
| 4.0.2 | Confocal LifeScience System | Solution: Update to version 4.1.1 1) To install the new version, first download the zip file from the following link webshare3.leica-microsystems.com/downloads/LAS_X_4.1.1_23273_Setup.zip 2) Unzip the ZIP file on your local computer 3) From the unzipped files start the file Setup.exe (run as administrator) 4) Follow the instructions of the installation program If you have blocked the TCP port 22350 in the network or on your local machine as a temporary protection, you can unblock it now that you have installed the update. |
| 4.1.0 | Confocal LifeScience System | Solution: Update to version 4.1.1 1) To install the new version, first download the zip file from the following link webshare3.leica-microsystems.com/downloads/LAS_X_4.1.1_23273_Setup.zip 2) Unzip the ZIP file on your local computer 3) From the unzipped files start the file Setup.exe (run as administrator) 4) Follow the instructions of the installation program If you have blocked the TCP port 22350 in the network or on your local machine as a temporary protection, you can unblock it now that you have installed the update. |
| Offline | Confocal LifeScience System (Legacy) | Solution: Update to offline version 3.5.7 1) To install the new version, first download the executable file from the following link webshare3.leica-microsystems.com/downloads/LAS_X_Small_3.5.7_23225_Setup.exe 2) Unzip the ZIP file on your local computer 3) From the unzipped files start the file Setup.exe (run as administrator) 4) Follow the instructions of the installation program If you have blocked the TCP port 22350 in the network or on your local machine as a temporary protection, you can unblock it now that you have installed the update. |
| Offline | Confocal LifeScience System (STELLARIS) | Solution: Update to offline version 4.1.1 1) To install the new version, first download the executable file from the following link webshare3.leica-microsystems.com/downloads/LAS_X_Small_4.1.1_23273_Setup.exe 2) Unzip the ZIP file on your local computer 3) From the unzipped files start the file Setup.exe (run as administrator) 4) Follow the instructions of the installation program If you have blocked the TCP port 22350 in the network or on your local machine as a temporary protection, you can unblock it now that you have installed the update. |
| Offline | Widefield LifeScience System | Solution: Update to offline version 3.7.3 1) To install the new version, first download the executable file from the following link webshare3.leica-microsystems.com/downloads/LAS_X_Small_3.7.3_23245_Setup.exe 2) Unzip the ZIP file on your local computer 3) From the unzipped files start the file Setup.exe (run as administrator) 4) Follow the instructions of the installation program If you have blocked the TCP port 22350 in the network or on your local machine as a temporary protection, you can unblock it now that you have installed the update. |
| Offline | Industry System | Solution: Update to offline version 3.0.14 1) To install the new version, first download the executable file from the following link webshare3.leica-microsystems.com/downloads/LAS_X_Small_3.0.14_23224_Setup.exe 2) Unzip the ZIP file on your local computer 3) From the unzipped files start the file Setup.exe (run as administrator) 4) Follow the instructions of the installation program If you have blocked the TCP port 22350 in the network or on your local machine as a temporary protection, you can unblock it now that you have installed the update. |
FAQs
Q: Is there a guide on how to block the TCP port 22350 in Windows 7?
A: Please use the following guidelines for Windows 7 based systems: Windows 7 Work Instructions.
Q: To block the TCP port 22350, I need an admin password for my Windows PC. What is the password for the admin account?
A: Please contact your local IT department. In case the PC was delivered by Leica Microsystems as part of a system solution, please contact technical service via the Service Portal.
Q: I assume that the vulnerability is with your application software only, but because we use the Leica SDK hardware, I would like to know whether it is also affected?
A: This issue does not affect the Leica SDK hardware for developers nor the Hardware Configurator, because they do not install and do not use the vulnerable component.
Q: Does the current security issue also affect the free LASX offline packages?
A: Yes, this affects also the free LASX offline packages.
Q: I want to solve this issue myself ASAP and noticed that WIBU provides the latest CodeMeter version on their web page. Can I update the CodeMeter software to the latest version to fix the security issue myself?
A: No, you need to install the next released software version from Leica Microsystems to solve this security issue. The release will be communicated on our webpage.
Q: Where can I find the release notes for the new software versions listed above?
A: The release notes for the individual versions can be found at the following links
- LASX 3.0.14: LAS_X_3.0.14_ReleaseNotes_Industry.pdf
- LASX 3.0.15: LAS_X_3.0.15_ReleaseNotes_Industry.pdf
- LASX 3.5.7: LAS_X_3.5.7_ReleaseNotes.pdf
- LASX 3.6.1: LAS_X_3.6.1_ReleaseNotes_Widefield.pdf
- LASX 3.7.3: LAS_X_3.7.3_ReleaseNotes_Widefield.pdf
- LAS X 4.1.1: LAS_X_4.1.1_ReleaseNotes.pdf
- LASX Offline Version Widefield Life Science Systems: LAS_X_3.7.3_ReleaseNotes_Widefield.pdf
- LASX Offline Version Applied Microscopy: LAS_X_3.0.14_ReleaseNotes_Industry.pdf
- LASX Offline Version 3.5.7 Confocal Life Science Systems Microscopy: LAS_X_3.5.7_ReleaseNotes.pdf
- LASX Offline Version 4.1.1 Confocal Life Science Systems Microscopy: LAS_X_4.1.1_ReleaseNotes.pd
- LMD 8.2.3: LMDWhatsNew_823.pdf
- Paula 1.2.3: PAULA_ReleaseNotes_1.2.3.pdf
Description of the Problem and Potential Risk
The software vendor WIBU Systems disclosed vulnerabilities in their product CodeMeter. This product is widely used in the industry for license management and is also embedded in image acquisition software from Leica Microsystems (in product lines LAS X , LAS AF, PAULA, LMD). The ability to exploit the vulnerability is limited to computers connected to a network. In a worst-case scenario, an attacker could cause a denial-of-service condition and attain remote code execution on the PC where the acquisition software is installed.
In general, please do not accept any certificates and licenses from untrusted sources and avoid visiting potentially malicious websites.
More information
For more details regarding the vulnerabilities in CodeMeter Runtime refer to:
- CISA Industrial Control Systems Advisory ICSA-20-203-01
- WIBU Systems Security Advisories
- WIBU Systems CodeMeter Runtime (please note: Using the latest version of the license component as a patch may result in limited functionality of your imaging software. Therefore, we recommend that you block the TCP port 22350 in the firewall as described above.)
