4.2.4 IMPROPER INPUT VALIDATION CWE-20ĬodeMeter and the software using it may crash while processing a specifically crafted license file due to unverified length fields.ĬVE-2020-14513 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H). This vulnerability allows an attacker to use the internal WebSockets API via a specifically crafted Java Script payload, which may allow alteration or creation of license files when combined with CVE-2020-14515.ĬVE-2020-14519 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been calculated the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H). Protocol encryption can be easily broken and the server accepts external connections, which may allow an attacker to remotely communicate with the CodeMeter API.ĬVE-2020-14517 has been assigned to this vulnerability. 4.2.2 INADEQUATE ENCRYPTION STRENGTH CWE-326 A CVSS v3 base score of 10.0 has been calculated the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). An attacker could send specially crafted packets to exploit these vulnerabilities.ĬVE-2020-14509 has been assigned to this vulnerability. Multiple memory corruption vulnerabilities exist where the packet parser mechanism does not verify length fields. 4.2 VULNERABILITY OVERVIEW 4.2.1 BUFFER ACCESS WITH INCORRECT LENGTH VALUE CWE-805
As new instances are discovered/reported, they will be added to this list of affected products. This license manager is used in products by many different vendors. All versions prior to 6.90 are affected by CVE-2020-14515 when using CmActLicense update files with CmActLicense Firm Code.All versions prior to 6.81 are affected by CVE-2020-14513.All versions prior to 7.10 are affected by CVE-2020-16233.All versions prior to 7.10a are affected by CVE-2020-14517.The following versions of CodeMeter Runtime, a license manager, are affected: Successful exploitation of these vulnerabilities could allow an attacker to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code execution, read heap data, and prevent normal operation of third-party software dependent on the CodeMeter. This updated advisory is a follow-up to the advisory update titled ICSA-20-203-01 Wibu-Systems CodeMeter (Update E) that was published February 11, 2021, to the ICS webpage on 3. Vulnerabilities: Buffer Access with Incorrect Length Value, Inadequate Encryption Strength, Origin Validation Error, Improper Input Validation, Improper Verification of Cryptographic Signature, Improper Resource Shutdown or Release.ATTENTION: Exploitable remotely/low attack complexity.
0 kommentar(er)
