CVE-2020-14509

Vulnerability

Multiple memory corruption vulnerabilities exist in CodeMeter Runtime, a license manager, affecting all versions prior to 7.10. The packet parser mechanism fails to verify length fields, allowing an attacker to trigger buffer access with incorrect length value (CWE-805). No authentication or user interaction is required for exploitation [1].

Exploitation

An attacker can send specially crafted packets over the network to the vulnerable CodeMeter service. The attack is classified as low complexity with no required privileges or user interaction. The exact sequence involves manipulating packet length fields to cause memory corruption [1].

Impact

Successful exploitation could allow an attacker to alter and forge license files, cause a denial-of-service condition, obtain remote code execution, read heap data, and prevent normal operation of third-party software dependent on CodeMeter. The confidentiality, integrity, and availability impacts are all high, with a CVSS v3 score of 10.0 [1].

Mitigation

Wibu-Systems released version 7.10a to address these vulnerabilities. Users should update to CodeMeter Runtime version 7.10a or later. This CVE is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].