A: CmWAN is disabled by default. If you do not have it enabled, CVE-2021-20094 does not affect you. When CmWAN is enabled, an attacker must have access either to the system itself or to a system on the same network to exploit the vulnerability. The CmWAN servers can be accessed via the Internet, but access is protected by credentials. In this scenario, only authenticated users could exploit the vulnerability over the Internet.
Q: How can I verify that CmWAN is deactivated?
A: Upon starting CodeMeter, the logging – visible, for example, in the Events tab of CodeMeter Control Center – logs whether the CmWAN server is active. The CmWAN server is deactivated, if the log states "Run as CmWAN server: no". If configured this way, CVE-2021-20093 cannot be exploited.
Q: Do I have to install the update on all systems?
A: If CmWAN is enabled, CodeMeter Runtime is affected on all platforms (Windows, macOS, Linux). You must apply the update on all systems on which you have CmWAN enabled.
Q: My systems are running in a protected environment. Do I still have to install the update?
A: If you host a CmWAN server, make sure that access over the Internet is possible only with credentials and that attackers cannot gain access to your network. If this is the case, the vulnerability CVE-2021-20094 can only be exploited over the Internet by authenticated users.
Additional Frequently Asked Questions (Q&A) for software vendors who use CodeMeter for licensing
Q: Do I have to re-encrypt the protected software?
A: No, the security vulnerability only affects components that are installed on systems via CodeMeter Runtime. However, if you have included CodeMeter Runtime in your installer, you would have to replace it.
Q: Does this affect CodeMeter License Central?
A: No, CodeMeter License Central is not affected by this security vulnerability. The CodeMeter License Server used by CodeMeter License Central is not configured as a CmWAN server.
Q: I do not use CodeMeter Runtime, but rather CodeMeter Embedded for my application. Do I have to patch or adapt the code coming from CodeMeter Embedded?
A: No, the security vulnerability only affects components of CodeMeter Runtime. The reported vulnerability cannot be exploited with CodeMeter Embedded.
Q: Do I have to apply a firmware update for active CmDongles?
A: No, the security vulnerability only affects components that are installed on systems via CodeMeter Runtime. No functions of the CodeMeter hardware are affected, therefore no firmware update is necessary.
Q: Does the vulnerability allow people to circumvent the licenses or software protection?
A: This security vulnerability does not directly affect licensing or protections.
Q: Why should I notify my users?
A: Larger companies and institutional clients often actively follow reports on the vulnerabilities of new releases. There is a chance that your users will become aware of the vulnerability. By notifying them proactively, you show that you recognize your responsibility for the security of your users’ systems.