Due to a severe security vulnerability issue in a third-party component used in Evident Application Software, it is strongly advised to install the provided Service Update. This Service Update provides a version of the affected component that closes the vulnerability gap.
The target software is as follows.
As a result of our survey, it revealed that there are two vulnerabilities.
CVE-2023-3935: A heap buffer overflow vulnerability in Wibu CodeMeter Runtime
CVE-2023-38545: This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake
Please see for more information.
Product Security Advisory WIBU-230704-01-v3.0
https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/AdvisoryWIBU-230704-01-v3.0.pdf
Product Security Advisory WIBU-231017-01
https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/AdvisoryWIBU-231017-01.pdf
NIST(*1) NVD(*2)
https://nvd.nist.gov/vuln/detail/CVE-2023-3935
https://nvd.nist.gov/vuln/detail/CVE-2023-38545
(*1) NIST: National Institute of Standards and Technology
(*2) NVD: National Vulnerability Database
CVE-2023-3935
The impact depends on where CodeMter is installed.
a) CodeMeter Runtime (i.e., CodeMeter.exe) is configured as a server
Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to execute code on vulnerable products.
b) CodeMeter Runtime is configured as a client
An authenticated local attacker to gain root/admin privileges on vulnerable products.
CVE-2023-38545
Customer floating license server and listed applications above use the affected CodeMeter Runtime which internally use the libcurl in a version that is vulnerable to a buffer overflow attack if curl is configured to redirect traffic through a SOCKS5 proxy.
A malicious proxy can exploit a bug in the implemented handshake to cause a buffer overflow.
If you have installed the CodeMeter license server yourself, sending manipulated packets can cause a crash of it or possibly code can be smuggled in and executed.
Install the provided Service Update.
If auto update function is enabled, it appears the notice to install service update on your PC.
(For DP2-AOU users)
Please refer to the "Installing dedicated device drivers" section of the instruction manual and prepare to apply the update.
Furthermore, if you have enabled DP2-AVS (Antivirus software license), please also refer to "Preparing to launch the installation/update program" section of the instruction manual.
This service update is available for the following operating systems.
Make sure that all applications are closed.
1. Start Windows.
2. Log on with administrator rights.
3. Download the Service Update file (CodeMeter_7_60d.exe) from the below.
https://serviceupdates.olympus-sis.com/DownloadArea
For DP2-AOU users, download the Service Update file from here (CodeMeter Version 7.60d).
4. Make sure that all applications are closed.
5. Double-click the Service Update file.
6. If the user account control dialog is displayed, select 'Yes'.
7. When you are asked if you want to install CodeMeter 7.60d confirm with ‘Yes’.
8. A console window appears, type ‘y’ to confirm and proceed.
9. When the setup is complete, press any key to close the console window.
10. Check the version of CodeMeter.
Right-click from the CodeMeter tool on the task bar and click ‘About’ to verify that it is version 7.60d.
(For DP2-AOU users)
Launch "CodeMeter Control Center" from the Windows menu, then select "About CodeMeter Control Center" from the menu of the application and verify that it is version 7.60d.
If you are using the cellSens or Stream, and have enabled the auto update function, please take the following actions.
1. If you are connected to the internet, it appears the update notice dialog on your PC when you start the software.
Select ‘Do not tell me again and ignore the updates listed above in future checks’ on Update notice dialog, then press ‘OK’.
2. If it appears the update notice dialog on your PC before updates, check the version of CodeMeter.
(a) The case that the version of CodeMeter is 7.60d.
Select ‘Do not tell me again and ignore the updates listed above in future checks’ on reminder dialog, then press ‘OK’.
(b) The case that the version of CodeMeter is NOT 7.60d.
Install the Service Update according to the above installation procedure.
对不起,此内容在您的国家不适用。
您即将被转换到我们的本地网站。