Wibu-Systems has notified us about the presence of three vulnerabilities in WibuKey. Our GC Image and LC Image software use WibuKey as license dongles.
, and recommends an update of WibuKey runtime to a new updated version on all systems not running in protected environments.
Our current recommendation:
We recommend all users to check if WibuKey runtime v6.40 or older is installed on their systems ASAP. If yes,
Unplug any WibuKey dongle
Uninstall the WibuKey runtime. Choose Ignore if a file is reported locked and continue to uninstall.
Restart
Download and run the latest WibuKey runtime v6.50 installer
Uncheck both server and network options as shown below if the WibuKey is used only for GC Image or LC Image software, and then install. If the WibuKey is used by another software, contact the software vendor for instructions.
We are working with Wibu-Systems and will post additional updates once we know more.
Product Affected:
WibuKey dongles are used by GC Image and LC Image software for licensing protection. All versions of GC Image and LC Image software installers have a WibuKey Runtime installer bundled. The bundled WibuKey runtime installer is v6.32 or older, and invoked by default.
System Affected:
Any system where GC Image or LC Image software has been installed, may have the WibuKey runtime installed and is potentially affected.
Vulnerability Details
The following three vulnerabilities were publicly disclosed by Cisco Talos since Dec 20th, 2018.
CVE-2018-3989: WIBU-SYSTEMS WibuKey.sys kernel memory information disclosure vulnerability
CVE-2018-3990: WIBU-SYSTEMS WibuKey.sys pool corruption privilege escalation vulnerability
CVE-2018-3991: WIBU-SYSTEMS WibuKey network server management remote code execution vulnerability
This is the most serious vulnerability. As stated by Wibu-Systems,
The vulnerability affects only systems on which a WibuKey network server is running, i.e. systems that are providing licenses from a plugged-in WibuBox for use by other clients in the network.
GC Image and LC Image software do not use the WibuKey network server as described above. But the WibuKey runtime installer installs the server by default.
Mitigation:
No mitigation options are known. Only an update of the WibuKey runtime, or removing the WibuKey runtime, can resolve these vulnerabilities, as described in our recommendation above.
Installers for GC Image and LC Image software with the updated version 6.50 of the WibuKey Runtime software will be provided online soon starting from the latest versions. For replacing CD or DVD media, please contact us.
(Dec 28th 2018 3:00pm US Central Time) Installers for current version (v2.8r2) online have been updated to include WibuKey runtime v6.50.
Update and maintenance packages do not contain WibuKey runtime.
Installers for previous versions (v2.8r1 or older) have not been updated, and still contain an old version of WibuKey runtime.
When installing an old version or installing with an old installer, be sure to uncheck and skip the WibuKey installation option at the end of the setup, then follow our recommendation to download and install the latest WibuKey Runtime v6.50.