(0day) FlexNet License Server Manager lmadmin Remote Code Execution Vulnerability
Affected Vendor and Product: Flexera Software’s FlexNet License Server Manager
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Flexera Software Flexnet License Server Manager. Authentication is not required to exploit this vulnerability.
The flaw exists within the lmadmin component which listens by default on TCP port 27000 (this can vary however if the port is in use). When handling a packet type having the opcode 0x2f the process trusts a user provided value when calculating the bytes remaining in the packet. Using this tainted remaining length value the process then copies packet data into a buffer on the heap. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the lmadmin user.
Flexera Software states:
[July 28, 2011] - This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180 day deadline.
Mitigation supplied by vendor:
This report has been entered into Flexera Softwares technical support case tracking system as IOC-000086525. The FlexNet License Server Manager components (lmgrd, lmadmin, and each vendor daemon) are only intended to be deployed in networks that are controlled by the recipient of FlexNet-enabled software. In particular, they are not intended to be deployed on the internet or in a public cloud. Flexera Software acknowledges that the deployment environments available to the FlexNet License Server Manager components are increasing and Flexera Software is considering supporting new deployment environments for these components in future releases of its products.
Full details here.
Update 2011-08-04: Flexera publishes an IMPORTANT NOTICE: Possible Security Vulnerability Identified in FlexNet Publisher lmadmin License Server Manager
A possible security vulnerability has been reported in the FlexNet Publisher lmadmin License Server Manager. More specifically, it is possible that a malicious user with access to the internal network could remotely execute arbitrary code under the lmadmin user context. In response, we suggest implementing the following best practices. This remains a theoretical vulnerability only. There have been no reported exploits of this possible vulnerability, and to date it has not been reported by a Flexera Software customer.
Flexera Software will provide a patch for all affected lmadmin platforms by August 12, 2011.
Hotfix Available for FlexNet Publisher lmadmin License Server Manager
A possible security vulnerability has been identified in the FlexNet Publisher lmadmin License Server Manager.
A hotfix for this has been incorporated into the latest version of lmadmin (version 126.96.36.199). If you are using an earlier version of lmadmin, please use the "lmadmin 188.8.131.52" links below to download the installer(s) for this latest version for your desired platform(s), and follow the instructions in the License Administration Guide to update lmadmin. http://www.globes.com/support/fnp_utilities_download.htm#downloads