FlexNet Beacon Vulnerability Update IOJ-2184010

FlexNet Beacon Vulnerability Update IOJ-2184010

Executive Summary

A vulnerability has been identified that potentially allows, in some circumstances, path traversal to restricted directories on FlexNet Beacon 2020 R2.2 and earlier if anonymous authentication is configured on the FlexNet Beacon.

Exploitability Assessment

Publicly disclosed: No

Exploited? No known exploits

Cause

For security reasons, Flexera will not publish the cause of this security vulnerability.

Steps to Reproduce

For security reasons, Flexera will not publish the steps to reproduce this security vulnerability.

Resolution

Flexera has published FlexNet Beacon security update IOJ-2184010 that resolves this vulnerability for Beacon versions from 2018 R1 and later. For FlexNet Manager Suite versions older than 2018 R1, Flexera recommends upgrading to the latest version of FlexNet Manager Suite.

On-premises customers

Please download the appropriate updated FlexNet Beacon version available through the Product and License Center (Flexera Community > More > Product and License Center). Updates are available for Beacon versions 2018 R1 and later, as shown in the following table. (For FlexNet Manager Suite versions older than 2018 R1, Flexera recommends upgrading to the latest version of FlexNet Manager Suite.)
Note: The FlexNet Beacon 2019 R2 update package is backward compatible with three earlier versions, as shown in the table below, and can be used for these upgrades. You may also need to update the properties of each inventory beacon (Discovery & Inventory > Network > Beacons, click through to open the properties of an inventory beacon, and in the General tab, set Upgrade mode). Your connected inventory beacons then automatically upgrade after their next policy update.
 

FlexNet Beacon versions

Compatible FlexNet Beacon Fix version

FlexNet Beacon Upgrade File in PLC

FlexNet Beacon 2018 R1

FlexNet Beacon 2019 R2 with security update

FNMS 2019 R2 Beacon Upgrade 14.0.2.zip

FlexNet Beacon 2018 R2

FlexNet Beacon 2019 R2 with security update

FNMS 2019 R2 Beacon Upgrade 14.0.2.zip

FlexNet Beacon 2019 R1

FlexNet Beacon 2019 R2 with security update

FNMS 2019 R2 Beacon Upgrade 14.0.2.zip

FlexNet Beacon 2019 R2

FlexNet Beacon 2019 R2 with security update

FNMS 2019 R2 Beacon Upgrade 14.0.2.zip

FlexNet Beacon 2020 R1

FlexNet Beacon 2020 R1 with security update

FNMS 2020 R1 Beacon Upgrade 15.0.1.zip 

FlexNet Beacon 2020 R2

FlexNet Beacon 2020 R2 with security update

FNMS 2020 R2 Beacon Upgrade 16.0.2.zip

 

SaaS customers

Your action depends on your current settings in Discovery & Inventory > Settings > Beacon settings:
  • If you have Beacon version approved for use set to "Always use the latest version", the security patch is already applied automatically to your connected inventory beacons (those that download policy and upload inventory automatically). If you have any disconnected inventory beacons, use your normal method to upgrade those to version 16.2.2.30 or later.
  • If you have the approved beacon version set to anything earlier than 16.2.2.30, you should change this setting to version 16.2.2.30 or later. You may also need to update the properties of each inventory beacon (Discovery & Inventory > Network > Beacons, click through to open the properties of an inventory beacon, and in the General tab, set Upgrade mode). Your connected inventory beacons then automatically upgrade after their next policy update.

Manual upgrade (on-premises and SaaS)

If you decided to upgrade an inventory beacon manually, please disable beacon auto-upgrade through the beacon properties before upgrading manually. If you don't modify the settings for automatic upgrades, the next update of beacon policy reverts the inventory beacon back to the previous setting.

Where to deploy (on-premises)

FlexNet Beacon update IOJ-2184010 needs to be deployed on the web application server and inventory server. In the case of a single server implementation of FlexNet Manager Suite, the update only needs to be run once. In the case of a multi-box implementation (where the web application server and the inventory server are separate servers), the update needs to be run on both the web application server and the inventory server. For detailed instructions, please follow the readme.txt file shipped with the update.

Single server implementation

  1. Web application server + inventory server combined (apply the update once)

Multi-server implementation

  1. Web application server (apply update)
  2. Inventory server (apply update)

Workaround

Flexera recommends upgrading  inventory beacons to an available FlexNet Beacon version with a security update. As a workaround, you can disable anonymous authentication and enable user authentication.

Acknowledgment

A Flexera customer has identified this vulnerability.

Applies to

FlexNet Manager Suite On-Premises, Multi-tenant (including Cloud) installations of FlexNet Beacon version 2020 R2.2 and earlier.

Was this article helpful? Yes No
No ratings
Comments

Hello, from the readme.txt: "The following must be done on every batch and presentation server."

What is presentation server?

This server type is not described in "Installing FNMS on Premises" document. There are below server types described:

  • Single (full) application server (Inventory + Web + Batch)
  • Processing server (Inventory + Batch)
  • Inventory server
  • Web application server
  • Batch scheduling server

Thank you!

 

Hi pavol_holes, and apologies for the confusion. The author has used one of the internal, conversational names for the "web application server".  This server presents the user interface, and many engineers prefer to say 'presentation server' as it has fewer syllables! HTH

Hi @pwesthorp, thanks a lot for explanation. Have a great day!

Hello,

so the instructions are: "The following must be done on every batch and presentation web server."

I've run the .\deploy.ps1 on Batch server and the script immediately after Splash screen failed with:

D:\temp\FNMS2020R2_Beacon_Upgrade_16.0.2_Hotfix_IOJ-2184010\deploy.ps1 : No files to install.

I looked into deploy.dsl.ps1 and there I see "On Presentation" section which means Web server and "On Inventory" section. Why there isn't Batch? Why there is Inventory? Readme.txt doesn't mention Inventory server at all.

 

And generally speaking about the instructions: we should deploy the hotfix to Batch, Web and DB server to fix the Beacons? We should not do anything with the Beacons? What about the "Beacon" installed on Inventory server?

 

From the text in this article: "FlexNet Manager Suite Cloud customers who have auto-upgrade turned off should upgrade their FlexNet Beacons to version 16.2.2.30 or later."

When we're on-prem with disabled auto-upgrade how we should proceed? Will this Hotfix deploy Beacon installer to Batch server where we can download the installer from (using FNMS GUI) and then we need to manually update the Beacons? Instructions in readme.txt are not mentioning anything about the Beacons.

 

Thank you!

Regards,

Pavol

I cannot find the hotfix for 2020 R1.  I have checked the product downloads site and other with no resolve.  How can the hotfix be found?

Cancel that I was able to find the download.

There are several known issues with 2019 R2 beacons, so we had to re-install many beacons as 2019 R1.   If I'm reading this correctly, the fix for this issue on a 2019 R1 beacon involves upgrading to 2019 R2 with the security patch.  If that's true, are all the previous issues with 2019 R2 beacons fixed in this version?

Thanks!

 

As the "deploy.ps1" PowerShell script provided for deploying the patch is not signed, you have to lower the security or execute the following command inside of the PowerShell window before executing the .\deploy.ps1 command:

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

Additional observations after deploying the FNMS 2020 R2 version of this patch in a FNMS 2020 R2 testing environment:

  1. Manually executing the BeaconInstaller16.0.2.10.exe that is contained in the patch installer download on a Beacon - or on an FNMS application server that has a Beacon installed - results in the user being prompted for a reboot.
  2. The automatic update mechanism for Beacons seems to work. However, this mechanism requires that Beacons are configured to use the "Always use the latest version" setting for upgrading. Otherwise, the BeaconInstaller16.0.2.10.exe (that is hidden in subfolders of the patch) needs to be copied to target Beacon(s) and needs to be run manually on these Beacons.
  3. The patch contains an updated Beacon installer named BeaconInstaller16.0.2.10.exe (three times, actually). However, after running this installer, the Beacon configuration UI (IventoryBeacon.exe) still shows the old version 16.0.1.3 in the splash screen. Also, the new Beacon version number is not reflected when you open the properties of a Beacon in the FNMS Web UI. The only way to confirm that the patch has been applied successfully to a Beacon seems to be to manually check the file size and file modification date of the executables in the :\Program Files (x86)\Flexera Software\Inventory Beacon\DotNet\bin folder and compare these data with a Beacon where the patch has not yet been applied.

Hi Everyone,

Apologies for the inconvenience, I have added a section (Where to deploy) in the KB article itself to clarify which FNMS components server update needs to be applied. 

Please ignore the batch server within the readme.txt instruction file, for now, I will get that sorted later.

Thanks for all your feedback.

Aamer

Hi @DiannaB This FlexNet Beacon 2019 R2 update includes hotfixes delivered in the past for FlexNet Beacon version  2019 R2.

Thanks,

Aamer

After further investigation, we found that the Beacon version number is updated correctly both in the Beacon splash screen, as well as in the [Beacons] table and in the FNMS UI.

The Beacon upgrade process can take several hours though, even for a Beacon that is connected directly to the FNMS Inventory server. And obviously, you must have the auto-upgrade mechanism for the Beacon(s) switched on.

How I see it, this is the WORST Hotfix ever provided by Flexera for FNMS! Because (in italics are my updates to the instruction):

  • Instructions are using terms not used publicly anywhere (presentation web server).

 

  • Instructions have wrong deployment servers (batch inventory server).

 

  • Insufficient instructions to actually deploy the Hotfix on Beacons. Current instructions will only deploy the Beacon installer to the central server(s) and Beacons won't be touched if the auto-upgrade is turned off (FlexNet Manager Suite Cloud All customers who have auto-upgrade turned off should upgrade their FlexNet Beacons to version 16.2.2.30 or later manually. The Beacon installer file can be downloaded from the FNMS GUI > Discovery & Inventory > Beacons > Deploy a beacon > select 16.0.2.10 from the dropdown and click at Download a beacon button. Then install the Beacon according "Installing FNMS 2020 R2 on Premises" document.)

 

  • PowerShell deployment files not signed (before executing ".\deploy.ps1" in PowerShell you need to execute "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass" to lower the security for the session). Thanks @erwinlindemann.

 

  • Database script "Update.SQL" is not selecting FNMSCompliance database or instructions are not mentioning that this needs to be done.

 

 

Flexera, what is happening with the FNMS deployment? Why we were provided by this very low quality Hotfix? This is not how the market leader should be deploying software to all customers.

Would you be so kind and next time provide us a Hotfix which is correctly coded, properly signed, after appropriate testing and with clear deployment instructions?

I hope this was the last time we had to experience such behavior towards all FNMS customers!

 

Thank you.


Regards,

Pavol

Thanks, @pavol_holes for the feedback, we will be updating the instructions in the readme.txt and take this feedback to improve our process to avoid inconvenience in the future.

Thanks all for the valued feedback, much appreciated.

Aamer

After the deployment of FlexNet Beacon Vulnerability Update-IOJ-2184010 (Installation of Hotfix for FNMS-73110) we get for all beacons:  'Last download of packages for managed devices failed. Check the log file on the beacon server.'
We don’t have a parent-child setup for the beacons.
Beacon version is now on all beacons 14.0.2.95 and the status is operating normally.

On FNMS Web Server below folder missing: 
ProgramData\Flexera Software\Warehouse\Staging\Common\Packages\Flexera\Upgrade\14.0.2

Hi @pavol_holes,

My apologies that you have faced so many difficulties with this update for inventory beacons. Of all your concerns, I am only able to address the last one, about the update for the Inventory Beacon Change Log (On-Premises).

The reason that the Change Log document had not yet been updated was because this was not a full release of the on-premises FlexNet Manager Suite product. Until now, it has been our practice to update/publish all our release notes documentation only at time of the full product release.

Furthermore, the on-premises edition of the Inventory Beacon Change Log should not be updated with the beacon release number 16.2.2.30, because that is the release number for the cloud product – you can see that already documented in the cloud edition of the Inventory Beacon Change Log. The version numbers for updating on-premises implementations depend on what version is currently implemented in each site, and these are the file names that are listed in the table in the KB article above for download from the Product and License Center. Now, I agree that this distinction between cloud and on-premises wasn’t sufficiently clear in the KB article or read-me, and I have made some suggestions for improvements in the KB article to clarify this (and the subsequent process for beacon updates). I believe that changes will appear in the KB article within the next 24 hours (including some corrections to quoted file names).

However, your valuable feedback has led me to reassess our previous practice of updating release notes only at the time of full releases. It’s clear that you expect the Change Log to be republished at the time of any hotfixes (rather than just including that information at the next full release). For this reason, I have updated the Inventory Beacon Change Log (On-Premises) now to include the three patched versions of the inventory beacon installers. And in future, I’ll try to stay in touch with any hotfixes, and update the appropriate release documents at that time, as well as for the full releases as before.

I hope that this will be of some small assistance.

@AamerSharif @pwesthorp  Can either of you confirm that the known communication issues in the 2019 R2 beacon have been fixed in this 14.0.2 on-prem beacon release?  We downgraded 2019 R2 beacons to R1 due to those issues, so we are hesitant to apply this 14.0.2 upgrade unless those issues are fixed.  Thanks!

Hi DiannaB, FNMS 2019 R2 Beacon Upgrade 14.0.2 includes the following fixes made to improve beacon stability. 

Master Issue Number for the beacon stability improvements included in Inventory beacon 14.0.2:  IOJ-2080959, IOJ-2108780, IOJ-2087160

Hope this will help.

Aamer

Product Manager ITAM / Flexera One

Hi Everyone, 

Inventory beacon upgrade files uploaded to PLC with the updated readme.txt instructions (provide more clarity about deployment), the current KB article reflects the newly uploaded file names. 

Thanks for the valuable feedback to improve our release process.

Aamer

Product Manager ITAM / Flexera One

Hi @DiannaB and other listeners-in,  just FYI I have updated the on-premises version of the Inventory Beacon Change Log to list those three repaired issues in the 14.0.2 release. 

Really having trouble finding the on-prem file to download.  Is there a reason why you haven't created links above?

Hi @AThorpe 

Sorry to hear that you have faced difficulty in finding the beacon-released version.

If you search for the product "FlexNet Manager Suite"  and Click on the Download Packages

You will find all the FNMS released versions.  When you click on the specific FNMS version you will find a zipped file name as mentioned above in the KB. I have attached a screenshot for version 2021 R1.

The link was not published as it requires login to PLC that was not going to help.

Beacon Update for version 2021 R1.PNG

Hope this will help.

Thanks,

Aamer

Product Manager ITAM / Flexera One

@CSpijkers Did you resolve the managed package download error? Our beacons are showing the same.

@dbecker 

We Fixed is manually as follows:
Copy folder from downloaded patch: 
\FNMS 2019 R2 Beacon Upgrade 14.0.1\files\Staging\Common\Packages\Flexera\Upgrade\14.0.2

to FNMS Web Server:
C or D \ProgramData\Flexera Software\Warehouse\Staging\Common\Packages\Flexera\Upgrade
in folder: 14.0.2

Restart the FlexNet Beacon Service on the beacons.

Version history
Revision #:
10 of 10
Last update:
‎May 12, 2021 01:15 AM
Updated by: