CVE-2021-20094: 
Wibu-Systems CodeMeter vulnerability analysis and mitigation

A denial of service vulnerability exists in Wibu-Systems CodeMeter versions < 7.21a. An unauthenticated remote attacker can exploit this issue to crash the CodeMeter Runtime Server (CodeMeter.exe) by sending a specially crafted packet to the CodeMeter Runtime CmWAN server (CISA Advisory, Tenable Research).

The vulnerability is a buffer over-read issue (CWE-126) in the CodeMeter Runtime CmWAN server component. The CVSS v3.1 base score is 7.5 HIGH with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it is network exploitable with low attack complexity and requires no privileges or user interaction (NVD).

Successful exploitation allows an attacker to cause a denial of service condition by crashing the CodeMeter Runtime Server. This affects the license management capabilities of systems using the vulnerable CodeMeter versions (CISA Advisory).

Wibu-Systems recommends updating to CodeMeter version 7.21a or later. The CmWAN server is disabled by default - if enabled, it should be disabled if not needed. If required, the CmWAN server should only be run behind a reverse proxy with user authentication. Using a host-based firewall to restrict access to the CmWAN port can further reduce risk from unauthenticated attackers (CISA Advisory).