Friday, August 19, 2011

Potential Security Vulnerability in FlexNet license manager

IMPORTANT NOTICE: August 16, 2011 Potential Security Vulnerability
Identified in Lmgrd License Server Managers and the Vendor Daemon

A possible security vulnerability has been reported in the FlexNet Publisher lmgrd license server managers as well as vendor daemons. More specifically, it is possible that a malicious user with full access to the internal network could remotely execute arbitrary code under the user context. In response, we are asking all users to run the lmgrd and vendor daemon at the least privileged security setting to eliminate this possible issue. We will issue a patch by September 30, 2011, as a precautionary measure. This remains a theoretical vulnerability only. There have been no reported exploits of this possible vulnerability, and to date it has not been reported by Flexera Software users.

Vulnerability Details

This possible vulnerability may affect all versions and platforms of lmgrd and vendor daemon.

Mitigation

Users can virtually eliminate this potential risk by running lmgrd and vendor daemon in a least privileged security level. See examples of how to do this on a variety of platforms.

In addition, the following best practices are recommended by Flexera Software:

License Administrator Best Practices for Mitigating Risk Exposure
The following steps are recommended as License Administrator best practices to help protect against potential security vulnerabilities:

  • Limit access to administrative users only by running the license server manager in a restrictive mode. Use the–adminOnly command-line option in lmadmin and the ‘-2 –p’ command-line option on lmgrd are the recommended settings unless you are using FlexNet Manager for Engineering Applications. Refer to the product documentation for limitations related to usage of these command-line options.
  • Do not use the default 27000 TCP port.
  • Utilize the recommended security settings offered by the Operating System (OS) vendors that resist the buffer/stack overflow attacks. For example, the Data Execution Prevention (DEP) feature on Windows helps in this regard. Most OS updates also include security features that take advantage of both hardware and software based protection mechanisms against malicious code execution.
Remedy

Flexera Software will deliver a hotfix for the FlexNet Publisher v11.10 lmgrd and vendor daemon release as a precautionary measure. This hotfix does not alleviate the need to run lmadmin, lmgrd and vendor daemons in a least privileged security context.
On September 30, 2011, a hotfix will be made available for all FlexNet Publisher v11.10 tier 1 platforms (AIX-PPC(PowerPC)-32 and PPC-64, LSB Linux x86-32 and x86-64, Mac OS X x86-32, x86-64, PPC-32, Microsoft Windows x86-32 and x86-64, Solaris SPARC-32, SPARC-64 and x86-32).
On October 28, 2011, FlexNet Publisher v11.10 tier 2 platforms (HP-UX-RISC-32, RISC-64 and IA(Itanium)-64, LSB Linux PPC-32 and PPC-64, Microsoft Windows IA-64, Red Hat Linux IA-64, SGI-MIPS-64, and Solaris x86-64) will be released with the hotfix included as part of the scheduled release.
Lmgrd and vendor daemons are backwards compatible and therefore we recommend all customers upgrade to the latest release.
Please note that Flexera Software cannot provide the vendor daemons to end users—vendor daemons will need to be provided by software vendors.

Full details here.

See also FlexNet License Server Manager lmadmin Remote Code Execution Vulnerability.

Use JTB FlexReport for historical and current license reports of applications using FlexNet.

No comments:

Post a Comment