cancel
Showing results for 
Search instead for 
Did you mean: 

CVE-2015-8277 remediated in FlexNet Publisher

CVE-2015-8277 remediated in FlexNet Publisher

Summary

CVE-2015-8277 has been discovered and remediated in FlexNet Publisher

Symptoms

****Only the following information is permitted to be distributed outside of Flexera Software and customers of FlexNet Publisher:
- CVE number
- CWE ID
- CVSS scores
- The text in the Workaround section
- Reference to any publicly-available information
****

This vulnerability exists on all platforms in all supported versions of the following FlexNet Publisher components:
  • lmgrd executable, provided by Flexera Software
  • vendor daemon executable, built by each FlexNet Publisher customer from object code provided by Flexera Software
Depending upon the license model(s) you offer to your customers, you may or may not distribute one or both of these components to one or more of your customers. If you don?t distribute either of these components, there is no further action on your part. If you do, you must distribute to those same customers the security update mentioned in the Resolution section of this article.

To understand the potential consequences of this vulnerability, see the Common Consequences section of CWE-120 (Common Weakness Enumeration). None of these consequences have been observed outside of test laboratory conditions.

This security vulnerability has been assigned the CVE ID number of CVE-2015-8277.

The CVSS base score for this vulnerability is 7.6.

Cause

For the cause of this vulnerability, see the Description section of CWE-120 (Common Weakness Enumeration).

Steps To Reproduce

For security reasons, Flexera Software will not publish the steps to reproduce this security vulnerability.

During the week of 22-Feb-2016, the following two articles were published by a security researcher:
  • https://www.securifera.com/advisories/cve-2015-8277/
  • http://securitymumblings.blogspot.com/2016/02/cve-2015-8277.html
Flexera Software was in contact with the original research team that discovered this security vulnerability, but Flexera Software did not participate in the publishing of these articles.

Resolution

As of 20-Nov-2015, the following security update is available from Flexera Software?s Product and License Center (https://flexerasoftware.flexnetoperations.com/control/inst/login?nextURL=%2Fcontrol%2Finst%2Findex):
  • FlexNet Publisher 2015 Security Update 1
This vulnerability was published by the US-CERT on 22-Feb-2016 here: https://www.kb.cert.org/vuls/id/485744

As a reminder, Flexera Software no longer distributes the lmgrd executable to your customers; your customers can only receive the lmgrd executable from you.

Workaround

Under only highly-customized environments would one of your customers expose the lmgrd or vendor deamon executables to the internet. If one of your customers exposes either of these components to the internet, then a partial workaround is to advise them to expose them to only a trusted network until they can be patched. Exposing either of these components to the internet raises the CVSS base score of this vulnerability to 9.0.

License Administrator Best Practices for Mitigating Risk Exposure

The following steps are recommended as License Administrator best practices to help protect against this and other security vulnerabilities:

  • Utilize the recommended security settings offered by the Operating System (OS) vendors that resist the buffer/stack overflow attacks. For example, the Data Execution Prevention (DEP) feature on Windows helps in this regard. Most OS updates also include security features that take advantage of both hardware and software based protection mechanisms against malicious code execution.
  • Launch lmgrd and vendor daemon executables using a least privileged security level
  • Limit access to only administrative users by launching lmgrd with the '-2 ?p' command-line option unless you are using FlexNet Manager for Engineering Applications. Refer to the product documentation for limitations related to usage of this command-line option.
  • Do not use the default 27000-27009 TCP ports for lmgrd (this only inhibits a hacker who doesn?t use an intelligent port scanning tool)

Additional Information

A security research team employed by a user of a FlexNet Publisher-licensed software application discovered this security vulnerability as part of their new penetration testing initiative. To our knowledge, only that security research team had knowledge of the vulnerability at the time of they disclosed it.

This vulnerability was not detected by the source code scanning tools and executable code scanning tools continuously used by Flexera Software.

****Only the following information is permitted to be distributed outside of Flexera Software and customers of FlexNet Publisher:
- CVE number
- CWE ID
- CVSS scores
- The text in the Workaround section
- Reference to any publicly-available information
****

Related Documents

https://cwe.mitre.org/data/definitions/120.html
https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:A/AC:M/Au:N/C:C/I:C/A:P)
https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:P)
Labels (1)
Was this article helpful? Yes No
No ratings