CVE-2014-8419

Vulnerability

The CodeMeter Runtime service executable codemeter.exe in Wibu-Systems CodeMeter Runtime versions before 5.20 is installed with weak file permissions, granting read and write access to all local users. This misconfiguration allows any local user to replace or modify the executable, even though the service itself typically runs with elevated privileges [1].

Exploitation

An attacker requires only local access to the system as an unprivileged user. The attacker can replace the codemeter.exe file with a malicious trojan horse binary while retaining the same filename, leveraging the weak permissions. When the CodeMeter service is restarted (e.g., after a system reboot or by the attacker triggering a restart), the malicious binary executes in the context of the service, which typically runs with SYSTEM or high-integrity privileges [1].

Impact

Successful exploitation results in arbitrary code execution with the privileges of the CodeMeter service (usually SYSTEM). The attacker gains complete control over the affected system, including the ability to install programs, modify data, create new accounts, and perform any action with full administrative rights [1].

Mitigation

Wibu-Systems released CodeMeter Runtime version 5.20 to address this vulnerability. Users should upgrade to version 5.20 or later. As a workaround, administrators can manually restrict permissions on the codemeter.exe file to allow only trusted users (e.g., SYSTEM and Administrators) to modify it. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].