Security Advisory IBA-2020-01
WIBU Systems CodeMeter Runtime Vulnerabilities in iba Products
| Publishing Date: | 2021-04-24 |
| Last Update: | 2021-04-24 |
| Tracking ID: | IBA-2020-01 |
Summary
CISA and WIBU Systems disclosed six vulnerabilities in different versions of CodeMeter Runtime, a product provided by WIBU Systems and used in two iba products for license management.
Affected products
ibaCapture V5 < v5.0.2
ibaDaVIS V2 < v2.8.0
How do I know that I'm affected
Check the version number of the installed product in the About dialog which can be found in the Help menu or the Webinterface.
Customer Actions
Upgrade to the following versions of the products.
ibaCapture V5 >= v5.0.2
ibaDaVIS V2 >= v2.8.0
Mitigations
If an upgrade/update to the latest iba software version is currently not possible, please update the CodeMeter Runtime to >= V7.10a. Download the latest version of the CodeMeter User Runtime for Windows from the WIBU Systems User Software website. Install the CodeMeter Runtime package on the system.
Technical Details
Classification
The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring.
CVE-2020-14509
Multiple memory corruption vulnerabilities exist where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities.
| CVSS v3.1 Score | 10.0 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
CVE-2020-14513
CodeMeter and the software using it may crash while processing a specifically crafted license file due to unverified length fields.
| CVSS v3.1 Score | 7.5 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
CVE-2020-14515
There is an issue in the license-file signature checking mechanism, which could allow attackers to build arbitrary license files, including forging a valid license file as if it were a valid license file of an existing vendor. Only CmActLicense update files with CmActLicense Firm Code are affected.
| CVSS v3.1 Score | 7.4 |
| CVSS Vector | CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H/E:P/RL:O/RC:C |
CVE-2020-14517
Protocol encryption can be easily broken and the server accepts external connections, which may allow an attacker to remotely communicate with the CodeMeter API.
| CVSS v3.1 Score | 9.4 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H/E:P/RL:O/RC:C |
CVE-2020-14519
This vulnerability could allow an attacker to use an internal API via a specifically crafted Java Script payload, which may allow alteration or creation of license files.
| CVSS v3.1 Score | 8.1 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C |
CVE-2020-16233
An attacker could send a specially crafted packet that could have the server send back packets containing data from the heap.
| CVSS v3.1 Score | 7.5 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:T/RC:C |
Timeline
| 2020-09-07 | Notification from WIBU Systems |
| 2020-09-17 | New ibaCapture software released with fix |
| 2020-09-24 | Security advisory published in form of Product Information Newsletter |
| 2021-02-22 | New ibaDaVIS software released with fix |
| 2021-04-24 | Security advisory published |