03 October 2017

Several more vulnerabilities found and closed in popular license manager

Kaspersky Lab ICS CERT has identified multiple vulnerabilities: denial of service (DOS), NTLM-relay attack, Stack buffer overflow, Remotely enabling web admin interface, Arbitrary memory read and possible remote code execution (RCE) in hasplms service that is a part of Gemalto’s HASP SRM, Sentinel HASP and Sentinel LDK products.

Vulnerable products are commonly used for licenses control and management among various business sectors: industrial control systems, financial institutions, banking solutions etc. The vulnerable version of the driver can automatically be installed on the system by plugin-in USB license key.

Vulnerable hasplms service opens 1947/tcp port that has web interface enabled by default. Remote attacker can switch on or off web admin interface. All the vulnerabilities can be exploited with and without web admin interface remotely

Kaspersky Lab ICS CERT had reported the vulnerabilities to the vendor and it did not release public advisory. Customers who have Sentinel LDK (RTE) Run-time Environment version (v2.10 – 7.50) are advised to update their Sentinel LDK RTE to the latest Sentinel LDK RTE component (v 7.6) which was released on July 27, 2017. This update can be found on the Sentinel Downloads site.

Kaspersky Lab ICS CERT has assigned the following CVE numbers:

  1. CVE-2017-12818
    Stack overflow in custom XML-parser leads to remote denial of service.
  2. CVE-2017-12819
    Remote manipulations with language pack updater lead to NTLM-relay attack for system user.
  3. CVE-2017-12820
    Arbitrary memory read from controlled memory pointer leads to remote denial of service.
  4. CVE-2017-12821
    Memory corruption might cause remote code execution.
  5. CVE-2017-12822
    License manager web interface is enabled as a default configuration. And even if disabled, it can be enabled remotely.