CVE-2021-20093
📋 TL;DR
CVE-2021-20093 is a buffer over-read vulnerability in Wibu-Systems CodeMeter that allows unauthenticated remote attackers to read heap memory contents or cause denial of service. This affects CodeMeter Runtime Server versions before 7.21a, potentially exposing sensitive information or crashing the service. Organizations using CodeMeter for software license management or DRM protection are at risk.
💻 Affected Systems
- Wibu-Systems CodeMeter Runtime Server
📦 What is this software?
Pss Cape by Siemens
Sinec Infrastructure Network Services by Siemens
View all CVEs affecting Sinec Infrastructure Network Services →
⚠️ Risk & Real-World Impact
Worst Case
Complete disclosure of sensitive heap memory contents including cryptographic keys, license data, or system information leading to full system compromise.
Likely Case
Information disclosure of heap memory contents and potential denial of service through server crashes.
If Mitigated
Limited information disclosure with no critical data exposure if proper memory isolation and access controls are implemented.
🎯 Exploit Status
Public proof-of-concept code exists demonstrating memory disclosure. The unauthenticated nature makes exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.21a or later
Vendor Advisory: https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210423-01.pdf
Restart Required: Yes
Instructions:
1. Download CodeMeter Runtime Server version 7.21a or later from Wibu-Systems website. 2. Stop the CodeMeter service. 3. Install the updated version. 4. Restart the CodeMeter service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to CodeMeter Runtime Server to only trusted hosts and networks.
Use firewall rules to block external access to CodeMeter ports (default TCP 22350, 22351)
Service Disablement
allTemporarily disable CodeMeter Runtime Server if not required for critical operations.
Windows: sc stop CodeMeterRuntime
Linux: systemctl stop codemeter
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to trusted hosts only
- Monitor for abnormal memory access patterns or unexpected service crashes
🔍 How to Verify
Check if Vulnerable:
Check CodeMeter version via Control Center or command line. Versions below 7.21a are vulnerable.Check Version:
Windows: "C:\Program Files (x86)\CodeMeter\Runtime\bin\cmu.exe" --version | Linux: /usr/bin/cmu --versionVerify Fix Applied:
Verify installed version is 7.21a or higher and test that the service runs without memory access errors.📡 Detection & Monitoring
Log Indicators:
- Unexpected memory access errors in CodeMeter logs
- Service crash events in system logs
- Abnormal network connections to CodeMeter ports
Network Indicators:
- Unusual traffic patterns to TCP ports 22350/22351
- Multiple connection attempts from untrusted sources
SIEM Query:
source="codemeter.log" AND ("memory" OR "buffer" OR "crash") OR destination_port IN (22350, 22351) AND NOT source_ip IN (trusted_networks)🔗 References
- https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210423-01.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-675303.pdf
- https://us-cert.cisa.gov/ics/advisories/icsa-21-210-02
- https://www.tenable.com/security/research/tra-2021-24
- https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210423-01.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-675303.pdf
- https://us-cert.cisa.gov/ics/advisories/icsa-21-210-02
- https://www.tenable.com/security/research/tra-2021-24
