FAQ – Security Advisory 200521
FAQ last updated: 2020-10-09.
Frequently Asked Questions (Q&A)
Q: How critical is the situation in practice?
A: In order to exploit the vulnerabilities, attackers must either have access to the system itself or access to a system on the same network. Attackers must have already broken into the network or gained access to it. If they have managed to do so, they can exploit the specified vulnerabilities.
However, one of the vulnerabilities (CVE-2020-14519) can be exploited just by calling up an appropriately prepared web page.
Q: Do I have to install the update on all systems?
A: The CodeMeter Runtime on all platforms (Windows, macOS, Linux) is affected.
Q: My systems are running in a protected environment. Do I still have to install the update?
A: If you can make sure that attackers cannot gain access to your network and only Update Files from trusted sources are processed, then the vulnerabilities cannot be exploited and you can do without the update. If it is possible to access websites on the Internet from this computer, you should deactivate access to the WebSocket API for security reasons (see below).
Q: When will the version 7.10a be available?
The version CodeMeter 7.10a is already available for download at www.wibu.com/support/user.
Q: What is the WebSocket API used for and by whom?
A: The WebSocket API allows you to query information about existing CmContainers from a web browser, create Context Files and import Update Files. It is usually only used by CodeMeter License Central WebDepot.
The Software Activation Wizard that uses the CodeMeter License Central Gateways and the file-based activation in CodeMeter License Central WebDepot are not using WebSocket API.
Q: How does CodeMeter License Central WebDepot behave if the WebSocket API is disabled or cannot be loaded due to incompatibility?
A: If WebDepot cannot successfully communicate with the WebSocket API, it automatically switches to file-based activation. In this case, users have to create the Context Files and apply downloaded Update Files themselves. In principle, however, all actions are also possible with the file-based activation.
Q: What are the new features of the new WebSocket API in CodeMeter version 7.10a?
A: The new version of the WebSocket API requires the use of a certificate issued by Wibu-Systems for the website that wants to exchange information and data with CodeMeter License Server. The previous version of the WebSocket API is deactivated by default.
This means that a CodeMeter runtime environment version 7.10a can only perform direct activation with an appropriately updated WebDepot.
Q: How can I reactivate the old WebSocket API for CodeMeter version 7.10a?
A: By setting the profiling entry 'CmWebSocketAllowWithoutOriginCheck' to the value '1' and restarting CodeMeter License Server, the old WebSocket API can be reactivated without origin check. This allows you to perform a direct activation despite using an old CodeMeter License Central WebDepot.
Activating the old WebSocket API is not recommended. Please update CodeMeter License Central WebDepot.
Q: How can the old WebSocket API be switched off and what are the effects?
A: By setting the profiling entry 'CmWebSocketApi' to the value '0' and restarting of CodeMeter LIcense Server, the old WebSocket API can be deactivated.
Deactivating the WebSocket API applies only to the old WebSocket API version without origin verification. Once you install version 7.10a, the new WebSocket API with origin verification is available and enabled.
Deactivation is especially recommended if CodeMeter prior to version 6.90 is used and cannot be updated.
Disabling WebSocket API means that direct activation in CodeMeter License Central WebDepot can no longer be used until CodeMeter Runtime has been updated to version 7.10a or newer. The Software Activation Wizard that uses the CodeMeter License Central Gateways and the file-based activation in CodeMeter License Central WebDepot will still work.
Q: If I now deactivate the WebSocket API for an older CodeMeter version previous to 7.10a, will it be reactivated by updating to a new version?
A: Yes, the deactivation only is permanent for the old WebSockt API without origin verification. After updating to CodeMeter version 7.10a or later, the new WebSocket API with origin verification is immediately available.
Additional Frequently Asked Questions (Q&A) for software vendors who license with CodeMeter
Q: Why should I notify my users?
A: Larger companies and institutional clients often actively check the vulnerabilities of new releases. Thus, there is a chance that that your users will notice. By notifying them proactively, you show that you are aware of your responsibility for the security of your users’ systems.
Q: Do I have to re-encrypt the protected software?
A: No, the security vulnerabilities only affect components that are installed on the systems via the CodeMeter Runtime. However, if you have integrated the installation of the CodeMeter Runtime into your installer, you would have to replace it.
Q: Do I have to apply a firmware update for the used CmDongles?
A: No, the security vulnerabilities only affect components that are installed on the systems via the CodeMeter Runtime. No functions in the CodeMeter hardware are affected, therefore no firmware update is necessary.
Q: Does this affect CodeMeter License Central?
A: Yes. CodeMeter License Central uses CodeMeter libraries and therefore it is possible that it will be affected by the vulnerabilities. License Central versions from 3.00 have been tested and verified to work with the new version of CodeMeter, v7.10a (in particular, 3.00, 3.21a, 3.30a,b,c). If Wibu-Systems is hosting your CodeMeter License Central then they will perform the updates automatically and you need do nothing. If not, then you are advised to manually update the version of CodeMeter to 7.10a. Instructions on how to do this are available in the developer download section at https://www.wibu.com/support/developer/downloads-developer-software.html in the section of "CodeMeter License Central Updates" as "Update 3.x | CodeMeter 7.10a"
Q: I do not use CodeMeter Runtime for my application but CodeMeter Embedded. Do I have to patch or adapt the code coming from CodeMeter Embedded?
A: No, the security vulnerabilities only affect components of the CodeMeter Runtime. The reported vulnerabilities cannot be applied to CodeMeter Embedded.
Q: Do the vulnerabilities allow people to circumvent the licenses and software protection?
A: In the case of CmActLicense Firm Codes (Firm Code 5.xxx.xxx), there is a possibility that licenses can be manipulated (CVE-2020-14515). Specifically, existing valid licenses can be invalidated by a manipulated Update File, or invalid licenses can become valid again by a manipulated Update File. Attackers can also create new (though invalid) licenses. To execute the attack, the attackers must have a valid Update File that has not yet been installed. If the license is also bound to a computer, attackers can only attack this one license for which they have the Update File.
The other security holes concern access to memory and the execution of commands on the operating system and do not directly affect licensing or protection.
Q: When will a version of CodeMeter License Central WebDepot be available that supports WebSocket API with the new origin validation?
A: A patch is available, which enables all CodeMeter License Central WebDepot versions, starting with 14.01.111.500, to communicate with the old and new WebSocket API. This patch can be downloaded by software vendors, who operate a WebDepot themselves, from the developer area of our website under "CodeMeter License Central Internet Extensions".
Q: Will the new CodeMeter License Central WebDepot support both the old and the new WebSocket API?
A: Yes, CodeMeter License Central WebDepot supports both versions by default after applying the patch. This will allow both users with old, non-updated CodeMeter runtime environment and users with current CodeMeter runtime environment to perform direct activation.