CVE-2021-20093: 
Wibu-Systems CodeMeter vulnerability analysis and mitigation

A buffer over-read vulnerability exists in Wibu-Systems CodeMeter versions < 7.21a. The vulnerability, tracked as CVE-2021-20093, affects the CodeMeter Runtime license manager software. An unauthenticated remote attacker can exploit this issue to disclose heap memory contents or crash the CodeMeter Runtime Server. The vulnerability was discovered by Tenable, Inc. and reported to CISA (CISA Advisory).

The vulnerability exists in the CodeMeter CmLAN server component that allows unencrypted messages from remote clients if the message body starts with specific bytes. When generating a response, the server copies data from a heap-based buffer of 0x100 bytes to an output buffer to be sent in the response, with the copy size controlled by the client. This buffer over-read vulnerability has been assigned a CVSS v3 base score of 9.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) (Tenable Research).

Successful exploitation of this vulnerability could allow an attacker to read sensitive data from the heap of the CodeMeter Runtime network server or cause a denial-of-service condition by crashing the CodeMeter Runtime Server (CodeMeter.exe). The vulnerability affects multiple critical infrastructure sectors worldwide (CISA Advisory).

Wibu-Systems has released version 7.21a which fixes the vulnerability. For systems that cannot be immediately updated, several workarounds are available: 1) Run CodeMeter as client only and use localhost binding for CodeMeter communication 2) The network server is disabled by default - keep it disabled 3) If the network server must be enabled, use a host-based firewall to restrict access to the CmLAN port. CISA also recommends minimizing network exposure for control systems and isolating them behind firewalls (CISA Advisory).