Home / Advisories / KLCERT-17-003: Sentinel LDK RTE: malformed ASN1 streams in V2C files lead to Remote Code Execution

KLCERT-17-003: Sentinel LDK RTE: malformed ASN1 streams in V2C files lead to Remote Code Execution

Kaspersky Lab publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky Lab does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

KL-IDS KLCERT-17-003
CVE-IDS CVE-2017-11496
Publication date 2017.01.26
Researcher Sergey Temnikov, Critical Infrastructure Defense Team, Kaspersky Lab ICS CERT
Description Malformed ASN1 streams in V2C and similar input files can be used to generate stack buffer overflows. The vulnerability causes an arbitrary code execution.
Impact An unauthenticated attacker may be able to exploit vulnerability and execute arbitrary code on remote system.
Severity
CVSS v3 Base Score: 10.0
Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Exploitability Remotely
Difficulty Low
User interaction None
Existence of exploit Unknown
Affected products
Affected products HASP SRM, Sentinel HASP and Sentinel LDK products, prior to Sentinel LDK RTE 7.55 (hasplms.exe before 19.3.1.66130).
Mitigation
Vendor mitigation Customers who have Sentinel LDK (RTE) Run-time Environment version (v2.10 – 7.50) are advised to update their Sentinel LDK RTE to the latest Sentinel LDK RTE component (v 7.55) which was released on May 25, 2017. This update can be found on the Sentinel Downloads site.
Kaspersky Lab mitigation For Industrial Control Systems it is necessary:

  • implement network monitoring to detect suspicious behavior on the remote port 1947;
  • monitor the suspicious file executions.
Timeline 2016.12.05 – Vulnerabilities reported
2016.12.12 – Reminder to vendor to provide feedback
2017.01.03 – First feedback from vendor
2017.06.16 – Vendor released private advisory
2017.06.30 – Vendor notified Kaspersky Lab ICS CERT
OVAL definition* KLCERT-17-003_OVAL

* To automate the process of analyzing the system for vulnerabilities described in this article, we created OVAL definitions – special XML files with rules for automatic scanning.

To use OVAL definitions, an interpreter needs to be downloaded and installed on the system to be tested – e.g., the free OVAL interpreter from MITRE. An interpreter uses OVAL definitions to collect information about the system and generate an HTML file containing a report on the presence/absence of vulnerable software.

Open Vulnerability and Assessment Language (OVAL) is a language that formalizes the representation of rules for scanning the system for vulnerabilities/installed software/applied patches and reporting the results of this assessment. OVAL is an open international standard that is part of SCAP (Security Content Automation Protocol). In the past, it was maintained by the MITRE Corporation now it is done by CIS (Center for Internet Security).