Wibu-Systems has notified us about the presence of two vulnerabilities in WibuKey. Our software use WibuKey as license dongles. More information can be found here: https://cdn.wibu.com/fileadmin/wibu_dow ... -94453.pdf
, and recommends an update of WibuKey runtime to a new updated version on all systems not running in protected environments.
Our current recommendation:
We recommend all users to check if WibuKey runtime v6.60 or older is installed on their systems ASAP. If yes,
Unplug any WibuKey dongle
Uninstall the WibuKey runtime. Choose Ignore if a file is reported locked and continue to uninstall.
Restart
Download and run the latest WibuKey runtime v6.70 installer
Uncheck both server and network options as shown below if the WibuKey is used only for GC Image or LC Image software, and then install. If the WibuKey is used by another software, contact the software vendor for instructions.
Product Affected:
WibuKey dongles are used by GC Image software suites for licensing protection. All versions of GC Image software installers have a WibuKey Runtime installer bundled. The bundled WibuKey runtime installer is v6.60 or older, and invoked by default.
System Affected:
Any system where any edition and version of GC Image software has been installed, may have the WibuKey runtime installed and is potentially affected.
Vulnerability Details
The following two vulnerabilities were publicly disclosed on Sept 11th, 2024.
CVE-2024-45181: An improper buffer bounds check in WibuKey32.sys and WibuKey64.sys allows specially crafted calls
to cause arbitrary address writes, resulting in kernel memory corruption.
CVE-2024-45182: An improper buffer bounds check in WibuKey32.sys and WibuKey64.sys allows specially crafted calls
to cause an arbitrary address read, which could result in denial of service.
Local access is needed for exploitation. The vulnerabilities cannot be exploited via the network.
Mitigation:
As local access is needed to exploit the vulnerabilities, it is recommended to take strict measures to control the access to the systems where the vulnerable WibuKey driver is installed.
To resolve these vulnerabilities, update the WibuKey runtime, or remove the WibuKey runtime, as described in our recommendation above.
Installers for GC Image software suites with the updated version 6.70 of the WibuKey Runtime software will be provided online soon starting from the latest versions. For replacing CD or DVD media, please contact us.
(Sept 30th 2024 5:15pm US Central Time) Installers for current version (v2024r2) online have been updated to include WibuKey runtime v6.70. The updated installers are indicated by "sp1" (security patch 1) in the installer exe filename.
Update and maintenance packages do not contain WibuKey runtime.
Installers for previous versions (v2024r1 or older) have not been updated, and still contain an old version of WibuKey runtime.
When installing an old version or installing with an old installer, be sure to uncheck and skip the WibuKey installation option at the end of the setup, then follow our recommendation to download and install the latest WibuKey Runtime v6.70.
