CVE-2021-20094

Vulnerability

A buffer over-read vulnerability exists in the CodeMeter Runtime CmWAN server (CVE-2021-20094). The server processes unencrypted messages from remote clients, and when generating a response, it copies data from a heap-based buffer of 0x100 bytes to an output buffer. The copy size is controlled by the client, allowing an attacker to specify a size larger than the source buffer, leading to an over-read. This affects all versions of CodeMeter Runtime prior to 7.21a [1][2].

Exploitation

An unauthenticated remote attacker can exploit this issue by sending a specially crafted packet to the CmWAN server. No authentication or user interaction is required. The attacker controls the copy size parameter, causing the server to read beyond the allocated heap buffer. This can trigger an access violation and crash the CodeMeter Runtime Server (CodeMeter.exe) [1][2].

Impact

Successful exploitation results in a denial of service (DoS) condition, crashing the CodeMeter Runtime Server. The CVSS v3 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating no confidentiality or integrity impact, but high availability impact [2]. The server becomes unavailable until restarted.

Mitigation

Wibu-Systems released version 7.21a to address this vulnerability. Users should update to 7.21a or later. If updating is not immediately possible, a workaround is to restrict network access to the CodeMeter server using a host-based firewall, or configure the server to bind only to localhost, which prevents remote exploitation [2].