WibuKey Driver Vulnerability (CVE-2024-45181)

SIMPLIS Logo

WibuKey Driver Vulnerability (CVE-2024-45181)

 

Last Update: 3-October-2024

Quick Links:

What is the Vulnerability?

What Platforms/Components/Licensing Options of SIMetrix/SIMPLIS are Affected?

How to Determine the Currently Installed Dongle Driver Version

Mitigation Strategies

How to Remove the Vulnerable Driver

How to Update the Vulnerable Driver

Backwards Compatibility and Troubleshooting

What is the Vulnerability?

From NIST:

CVE-2024-45181

"An issue was discovered in WibuKey64.sys in WIBU-SYSTEMS WibuKey before v6.70 and fixed in v.6.70. An improper bounds check allows crafted packets to cause an arbitrary address write, resulting in kernel memory corruption."

From the SIMetrix/SIMPLIS Team:

The Windows driver for the 10- series USB keys we issue for both Portable licenses (common) and network licenses tied to USB keys (less common) has a vulnerability that allows software run by local users of a PC to improperly write to memory. Because this is a device driver on Windows, it runs at a very low level and maliciously crafted improper writes could result in denial of service, system instability or worse. It is important to note that this is a local vulnerability, it does not enable remote code execution.

What Platforms/Components/Licensing Options of SIMetrix/SIMPLIS are Affected?

All modern versions of the SIMetrix/SIMPLIS client software are distributed with a vulnerable version of the WIBU driver. It is possible to have installed our software without the driver (via a command line switch or the .MSI version of the installer), but most users will have installed it even if the licenses involved are not tied to 10- series USB keys.

Administrators may have also installed the dongle driver to support network licenses tied to USB keys with FLEXID numbers beginning with "10-" on Windows-based license manager systems. This is a less common licensing option, but far from unheard of.

How to Determine the Currently Installed Dongle Driver Version

To determine the dongle driver version installed on a PC, use the Windows Control Panel to view "Programs and Features" and scroll to "WibuKey":

...or use the newer Settings to view "Apps and features" and scroll to "WibuKey":

Either approach will allow you to determine the presence of the driver on your system and the installed version (again, all versions lower than v6.70 are noted as vulnerable). If the driver was installed as part of the SIMetrix/SIMPLIS installation package, it will appear on the software listings noted above.

Mitigation Strategies

If you have low tolerance for risk, you should uninstall the vulnerable WibuKey driver on the client machine even if your license is not tied a 10- series USB key.  Below are specific scenarios related to our different licensing options, and following this section are specific dongle driver update and removal instructions.

NOTE: The below recommendations assume that SIMetrix/SIMPLIS products are the only software products using WibuKey drivers on your system. If this is not the case, you should consult the other providers and merge their recommendations with ours.

For end users of the SIMetrix/SIMPLIS client software using a network license, the WibuKey driver can simply be uninstalled from the client PC.  This should have no effect on the operation of the licensed SIMetrix/SIMPLIS client software.

For end users of the SIMetrix/SIMPLIS client software using a portable license tied to an older 9- series dongle, the WibuKey drivers can be uninstalled from the client PC. 9- series dongles are from a different manufacturer and use different drivers.  This should have no effect on the operation of the licensed SIMetrix/SIMPLIS client software.

For administrators of Windows-based license server manager servers with licenses tied to an older 9- series dongle, the WibuKey drivers can be uninstalled from the server PC.  9- series dongles are from a different manufacturer and use different drivers.  This should have no effect on the operation of the licensed SIMetrix/SIMPLIS client software.

For administrators of Windows-based license server manager servers with licenses tied to 10- series USB keys, updating the WibuKey driver to a non-vulnerable version and updating the license manager service binaries to their latest version should be all that is required.  After the update, the license manager service should function as normal.

For end users of the SIMetrix/SIMPLIS client software using a portable license tied to a 10- series dongle requiring the vulnerable driver, users with a low appetite for risk in the short term can choose to uninstall the WibuKey driver from their system.  For this license type, removing the driver will result in a system where the SIMetrix/SIMPLIS client software is not able to communicate with the USB key and will complain on startup that no license is available due to the dongle not being recognized. For these users, we will offer a temporary nodelocked license file tied to the MAC address of the PC. This will allow users to run the client software until a compatible release of our client software is released.

In the near future, we will be releasing a new version of the SIMetrix/SIMPLIS client software (v9.20) that is compatible with the non-vulnerable updated USB dongle driver. At that point, temporary licenses will no longer be required as the client software will properly recognize the USB key with the updated driver.

How to Remove the Vulnerable Driver

To remove the WibuKey driver from the system, users are strongly encouraged to use a built-in Windows method to do so via either the "Programs and Features" or "Apps and features" applets listed above.

In some non-repeatable cases, the native Windows uninstall approach can fail.  As a last resort, we have created a driver uninstall program that can be downloaded here:

https://www.simetrix.co.uk/Files/lic/uninstallwibu-x64.exe

Again, the downloadable uninstaller should be used only if/when the native Windows software removal tools have failed.

When uninstalling, users are likely to encounter the following dialog box.

Select "Ignore", as indicated above, then reboot the system when the program completes.  After uninstalling the driver and rebooting, the PC should no longer be at risk to anything targeting this vulnerability.

NOTE: Removing the WibuKey driver will prevent the dongle from being recognized by any software program, not just SIMetrix/SIMPLIS products. As mentioned before, you should consult the providers of any other software tied to a WibuKey device and merge their recommendations with ours.

How to Update the Vulnerable Driver

A new installer for v6.70 of the WibuKey driver has been created and made available from here:

https://www.simetrix.co.uk/Files/lic/installwibu-x64-67.exe

The download supports both Windows 10 and Windows 11, however the installation instructions for the two OS versions differ slightly.

How to Update the Vulnerable Driver in Windows 10

Users on Windows 10 should follow the following sequence of instructions: 

  1. Uninstall the dongle driver using the uninstallation procedure described above.
  2. Reboot.
  3. Run the new dongle driver installer.

Repeated tests have shown that performing any other order of operations can lead to the process failing, even if it reports success (or reports nothing).  To recover if the steps are performed out of order, the user should: 

  1. Reboot.
  2. Re-run the new dongle driver installer.

How to Update the Vulnerable Driver in Windows 11

Users on Windows 11 should follow the following sequence of instructions:

  1. Run the new dongle driver installer.
  2. Reboot.

Backwards Compatibility and Troubleshooting

While we strive for backwards compatibility with respect to licensing, older versions of the SIMetrix/SIMPLIS client software that expect the vulnerable version of the USB dongle driver in order to support portable licensing will not function with the newer USB dongle driver.

We have also put together a support document on our website to assist users with troubleshooting USB dongle issues that might arise after an installation or upgrade of v9.20 and above here:

https://www.simetrix.co.uk/support/fix-dongle-problems.html