CVE-2020-14515 - Vulnerability Details - OpenCVE

CodeMeter (All versions prior to 6.90 when using CmActLicense update files with CmActLicense Firm Code) has an issue in the license-file signature checking mechanism, which allows attackers to build arbitrary license files, including forging a valid license file as if it were a valid license file of an existing vendor. Only CmActLicense update files with CmActLicense Firm Code are affected.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Wibu	Codemeter

Configuration 1 [-]

cpe:2.3:a:wibu:codemeter:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2020-09-16T19:48:08

Updated: 2024-08-04T12:46:34.789Z

Reserved: 2020-06-19T00:00:00

Link: CVE-2020-14515

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-09-16T20:15:13.567

Modified: 2024-11-21T05:03:26.193

Link: CVE-2020-14515

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "CodeMeter", "vendor": "n/a", "versions": [{"status": "affected", "version": "All versions prior to 6.90 when using CmActLicense update files with CmActLicense Firm Code."}]}], "descriptions": [{"lang": "en", "value": "CodeMeter (All versions prior to 6.90 when using CmActLicense update files with CmActLicense Firm Code) has an issue in the license-file signature checking mechanism, which allows attackers to build arbitrary license files, including forging a valid license file as if it were a valid license file of an existing vendor. Only CmActLicense update files with CmActLicense Firm Code are affected."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "description": "IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-09-16T19:48:08", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2020-14515", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "CodeMeter", "version": {"version_data": [{"version_value": "All versions prior to 6.90 when using CmActLicense update files with CmActLicense Firm Code."}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CodeMeter (All versions prior to 6.90 when using CmActLicense update files with CmActLicense Firm Code) has an issue in the license-file signature checking mechanism, which allows attackers to build arbitrary license files, including forging a valid license file as if it were a valid license file of an existing vendor. Only CmActLicense update files with CmActLicense Firm Code are affected."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:46:34.789Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2020-14515", "datePublished": "2020-09-16T19:48:08", "dateReserved": "2020-06-19T00:00:00", "dateUpdated": "2024-08-04T12:46:34.789Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wibu:codemeter:*:*:*:*:*:*:*:*", "matchCriteriaId": "04ECF3CE-FA64-4B81-B769-84844ED87CF7", "versionEndExcluding": "6.90", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "CodeMeter (All versions prior to 6.90 when using CmActLicense update files with CmActLicense Firm Code) has an issue in the license-file signature checking mechanism, which allows attackers to build arbitrary license files, including forging a valid license file as if it were a valid license file of an existing vendor. Only CmActLicense update files with CmActLicense Firm Code are affected."}, {"lang": "es", "value": "CodeMeter (todas las versiones anteriores a 6.90 cuando se utilizan archivos de actualizaci\u00f3n con CmActLicense Firm Code) presenta un problema en el mecanismo de comprobaci\u00f3n de firmas de archivos de licencia, que permite a atacantes crear archivos de licencia arbitrarios, incluyendo la falsificaci\u00f3n de un archivo de licencia v\u00e1lido como si fuera un archivo de licencia v\u00e1lido de un proveedor existente. Solo est\u00e1n afectados los archivos de actualizaci\u00f3n de CmActLicense con CmActLicense Firm Code"}], "id": "CVE-2020-14515", "lastModified": "2024-11-21T05:03:26.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-16T20:15:13.567", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}