Security Advisory IBA-2021-02
CodeMeter Runtime Network Server: Heap Leak and Denial of Service
| Publishing Date: | 2021-09-06 |
| Last Update: | 2021-09-06 |
| Tracking ID: | IBA-2021-02 |
| CVE: | CVE-2021-20093 |
| CVSS Base Score: | 9.1 |
| CVSS v3 Vector: | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
Summary
An attacker could send a specially crafted packet that could have the CodeMeter Runtime Network Server send back packets containing data from the heap or crash the server.
Affected products
ibaCapture
All versions prior to v5.1.3
ibaVision
All versions including v2.1.0
ibaDaVIS
All versions including v2.9.0
How do I know that I'm affected
Check the version number of the installed product in the About dialog which can be found in the Help menu.
Customer Actions
Please install the latest WIBU CodeMeter Runtime (≥ 7.21a), which can be downloaded from the WIBU website.
WIBU Download
Mitigations
According to WIBU the following actions also mitigate the risk.
- Run CodeMeter as client only and use localhost as binding for the CodeMeter communication. With binding to localhost an attack is no longer possible via remote network connection. The network server is disabled by default.
- If it is not possible to disable the network server, using a host-based firewall to restrict access to the CmLAN port can reduce the risk.
Technical Details
Issue
An attacker could send a specially crafted TCP/IP packet that causes the CodeMeter Runtime network server (default port 22350) to return packets containing data from the heap. When generating a response, the server copies data from a heap-based buffer to an output buffer to be sent in the response. The amount to copy is controlled by the client. An unauthenticated remote attacker can exploit this issue to disclose heap memory contents or crash the CodeMeter Runtime Server (i.e., CodeMeter.exe).
Timeline
| 2021-06-10 | Security Advisory WIBU-210423-01 published by WIBU |
| 2021-09-06 | Security advisory published |