CVE-2020-14517

Vulnerability

The vulnerability exists in CodeMeter Runtime, a license manager by Wibu-Systems AG. It affects all versions prior to 6.90, as well as version 6.90 or newer if CodeMeter Runtime is running as a server and accepts external connections. The protocol encryption can be easily broken, allowing an attacker to remotely communicate with the CodeMeter API. [1]

Exploitation

An attacker can exploit this weakness remotely with low attack complexity and without authentication or user interaction. The attacker sends specially crafted packets to the CodeMeter service, which the packet parser processes without properly verifying length fields, leading to buffer access with incorrect length value. [1]

Impact

Successful exploitation could allow an attacker to alter and forge license files, cause a denial-of-service condition, potentially achieve remote code execution, read heap data, and disrupt the normal operation of third-party software that depends on CodeMeter. The CVSS v3 base score is 10.0, with the vector string (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) indicating complete compromise of confidentiality, integrity, and availability across system boundaries. [1]

Mitigation

Wibu-Systems has released a fix in CodeMeter Runtime version 7.10a. According to CISA, all versions prior to 7.10a are affected by CVE-2020-14517. Users should update to version 7.10a or later. If immediate patching is not possible, restricting network access to the CodeMeter service and ensuring it does not accept external connections can reduce risk. This vulnerability is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog. [1]