CodeMeter Runtime for Windows: Denial of Service (DoS)

A local attacker could cause a Denial of Service by overwriting existing files on the affected system.

ibaCapture
All versions ≤ v5.1.4

ibaVision
All versions ≤ v2.1.0

ibaDaVIS
All versions ≤ v2.10.1

Check the version number of the installed product in the About dialog which can be found in the Help menu.

Windows 7: Apply the Mitigation techniques recommended by WIBU in their advisory WIBU-210910-01, which can also be found below in the Mitigation section.

Windows 10 or higher: Please install the latest WIBU CodeMeter Runtime (≥ 7.30a), which can be downloaded from the WIBU website.
Please check the datasheet of the WIBU CodeMeter Runtime to see if your operating system is supported. The datasheets can be found here.

Mitigations

According to WIBU the following actions mitigate the risk.

• Restrict unprivileged access to machines running the CodeMeter License Server service.
• Disable the container type "Mass Storage" in CodeMeter: if there are no CmDongles connected to the affected machine or if the connected CmDongles are configured as HID, the CodeMeter communication with “Mass Storage” devices can be disabled at the Windows Registry as follows:
  • Set the value of the key "HKEY_LOCAL_MACHINE\SOFTWARE\WIBU-SYSTEMS\CodeMeter\Server\CurrentVersion\EnabledContainerTypes" to 4294967294 (0xFFFFFFFE).
  • Restart CodeMeter to apply this change.

General security best practices can help to protect systems from local and network attacks.

Issue

If an attacker with basic user capabilities manages to set up a link to a special system file used with CmDongles, then essential files in the system could get overwritten.
Exploiting the vulnerability requires at least an unprivileged user account on the machine.
The mobile installation of the CodeMeter Runtime is not affected by this vulnerability because in this case, CodeMeter runs in the user space instead of running as a Windows service.