Executive Summary
A potential vulnerability exists in FlexNet inventory agent and inventory beacon versions 2022 R2.3 Part Number: 19.3.0 and earlier installations on Unix-like platforms devices running Docker daemon containers. The vulnerability may potentially allow a privilege escalation.
To address the potential vulnerability, Flexera quickly established mitigations through the security update IOK-1085727 for the FlexNet inventory agent and inventory beacon version 2022 R2.4 Part Number: 19.4.0.
CVE Identifier
Exploitability Assessment
Publicly disclosed? No.
Exploited? No known exploits.
Cause
For security reasons, beyond the described vector and impact, Flexera will not publish further details regarding the cause of this potential vulnerability.
Rating
The potential vulnerability has been rated with a CVSS (Common Vulnerability Scoring System) version 3.1 base score of 7.8.
Please be aware that the CVSS version 3.1 and its automatic calculation of the CVSS scoring based on the CVSS metrics are known to have scaling issues such that potential vulnerabilities frequently end up in the higher-scoring brackets.
Flexera’s internal vulnerability analysis and assessment team “Secunia Research” assigned a criticality rating of “Less Critical”, which is the second-lowest “Secunia Research” criticality rating on a scale of 5 criticality ratings (from “Not Critical” through “Extremely Critical”).
Steps to Reproduce
For security reasons, Flexera will not publish the steps to reproduce this security vulnerability.
Resolution
Flexera has released an update to address a security vulnerability in the FlexNet inventory agent and inventory beacon remote inventory for Unix-like platforms. The updated versions, 2022 R2.4 Part Number: 19.4.0, resolve the vulnerability as detailed in the security update IOK-1085727. Flexera recommends upgrading FlexNet inventory agent and inventory beacon versions 2022 R2.3 Part Number: 19.3.0 and earlier to version 2022 R2.4 Part Number: 19.4.0 or later.
Workaround
This vulnerability can be mitigated by including the following folder in the list of excluded file evidence folders for Linux/UNIX operating systems.
- /var/lib/
For reference, here is the user interface to configure file path exclusions on the Inventory Settings page.
On-premises customers
Please download the updated FlexNet inventory agent and inventory beacon version 2023 R1 or later available through the Product and License Center (Flexera Community > More > Product and License Center). Flexera recommends upgrading to the latest version of the FlexNet inventory agent and inventory beacon version or FlexNet Manager Suite.
Note: The FlexNet inventory agent and inventory beacon update packages are designed to be compatible with the operating systems and architecture versions supported by the FlexNet Manager Suite supported version that is currently in use.
Beacon upgrade settings
You may also need to update the properties of each inventory beacon (Discovery & Inventory > Network > Beacons, click through to open the properties of an inventory beacon, and in the General tab, set Upgrade mode). Your connected inventory beacons then automatically upgrade after their next policy update.
If you have Beacon version approved for use set to "Always use the latest version", the security patch will have been applied automatically to your connected inventory beacons (those that download policy and upload inventory automatically), however Flexera always recommends that you confirm that beacons are updating as expected. If you have any disconnected inventory beacons, use your normal method to upgrade those to version 19.4.0 or later.
If you have the approved beacon version set to anything earlier than 19.4.0, you should change this setting to version 19.4.0 or later.
Inventory agent for automatic deployment and upgrade settings
- If you are using FlexNet Manager Suite for the auto upgrade of FlexNet inventory agent upgrade, you can set the version to deploy to 20.1.0 and upgrade mode and platform options to an appropriate mode and platform you like to upgrade.
If you want to deploy the inventory agent and inventory beacon using the FlexNet Manager Suite supported version earlier than 2023 R1, you can set the inventory agent upgrade by following the instructions in the upgrade guide.
- .\ConfigureSystem.exe select-agent-upgrade --version versionstring
Note: This FlexNet inventory agent security update is for the FlexNet inventory agent for the Unix-like platforms. Inventory agent and inventory beacon version 19.4.0 and later are compatible with earlier supported versions of FlexNet Manager Suite. FlexNet inventory agent and beacon versions earlier than version 19.4.0 have been deprecated.
Flexera One ITAM and FNMS do not support automatic upgrading of the Flexera inventory agent for Debian Linux.
Flexera One customers
Your action depends on your current settings in Discovery & Inventory > Settings
- Beacon settings (Beacon version approved for use)
- Inventory agent for automatic deployment (Configured version to deploy/upgrade)
Beacon upgrade settings
- If you have the Beacon version approved for use set to "Always use the latest version", the security patch is already applied automatically to your connected inventory beacons (those that download policy and upload inventory automatically). If you have any disconnected inventory beacons, use your normal method to upgrade those to 19.4.0 or the latest version (Recommended).
- If you have the approved beacon version set to anything earlier than 19.4.0, you should change this setting to version 19.4.0 or later (the latest version recommended). You may also need to update the properties of each inventory beacon (Discovery & Inventory > Network > Beacons, click through to open the properties of an inventory beacon, and in the General tab, set Upgrade mode). Your connected inventory beacons then automatically upgrade after their next policy update.
Inventory agent for automatic deployment and upgrade settings
- If you are using the Flexera One IT Asset Manager auto-upgrade feature to upgrade FlexNet inventory agent, you can set the version to deploy to 21.0.0 and upgrade mode and platform options to an appropriate mode and platform you like to upgrade.
Note. All the previous supported releases of the inventory agent and inventory beacon have been deprecated in the Flexera One IT Asset Manager and IT Visibility for cloud customers, including inventory agent for non-windows supported operating systems, we recommend our customers to use the latest available release of inventory agent and inventory beacon for future deployments and upgrades.
Flexera One ITAM and FNMS do not support automatic upgrading of the Flexera inventory agent for Debian Linux.
Manual upgrade (On-premises and Flexera One)
If you decide to upgrade an inventory beacon manually, please disable the inventory beacon auto-upgrade through the beacon properties before upgrading manually. If you don't modify the settings for automatic upgrades, the next update of the beacon policy reverts the inventory beacon back to the previous setting.
Where to deploy (On-premises)
FlexNet inventory agent for Unix-like platforms and inventory beacon update IOK-1085727 need to be deployed on the web application server and inventory server. In the case of a single server implementation of FlexNet Manager Suite, the update only needs to be run once. In the case of a multi-box implementation (where the web application server and the inventory server are separate servers), the update needs to be run on both the web application server and the inventory server.
Single server implementation (On-premises)
- Web application server + inventory server combined (apply the update once)
Multi-server implementation (On-premises)
- Web application server (apply update)
- Inventory server (apply update)
Acknowledgment
Credit for identifying this issue goes to Patrick Romero of CrowdStrike.
Applies to
FlexNet inventory agent and inventory beacon versions prior to 19.4.0 for Unix-like platforms used by Flexera One IT Asset Management, IT Visibility, and FlexNet Manager Suite for On-Prem customers.
Security Best Practices
Regardless of the limited vector the potential vulnerability provides, Flexera would like to take the opportunity to remind customers, that basic security best practices in conjunction with the FlexNet inventory agent and inventory beacon installation and use should be followed.
- FlexNet inventory agent, inventory beacon, and FlexNet Manager Suite server communication should be secured using HTTPS.
- Privileges to access Flexera's products, their components, the systems they run on and utilized networks should be granted on a least (minimal) privilege basis.
