A Cross-Site Request Forgery which results in addition of local admin user to lmadmin license server has been identified in FlexNet Publisher lmadmin.exe 11.10.X. Please see the Symptoms section for more details.
If you do not distribute lmadmin to your customers, there is no further action on your part. If you do, you must distribute to those same customers the security update mentioned in the Resolution section of this article.
This security vulnerability has been assigned the CVE ID number of CVE-2019-8962.
Symptoms:
The lmadmin license server allows an authorized license administrator to create other local admin users. However, when an admin user is authenticated and authorized by lmadmin in FlexNet Publisher 11.10.X there exists a Cross-Site Request Forgery vulnerability. Because of which an attacker can inherit the identity and privileges of the victim to perform an undesired function on the victim's behalf. In one such reported instance a POST action with valid session resulted into creation of a new local admin user.
Resolution:
This vulnerability is mitigated in FlexNet Publisher 11.12.1 and later. Such an attack is prevented through a randomized token that gets assigned from the back-end for a specific use-case (in this instance an authorized user wanting to add an admin user), which is then be verified upon receipt of the POST request. An attacker without access to the web front-end of the application typically would not be able to gain access to such token and thus such attacks would fail.
The FlexNet Publisher 11.12.1 and later addresses the security vulnerability and is available on Flexera’s Product and License Center.
We advise all FlexNet Publisher customers update lmadmin.exe to FlexNet Publisher 11.12.1 or later.
Additional Information:
For identifying this vulnerability and disclosing it to Flexera under a responsible disclosure process, we give a big thanks to Ismail Tasdelen (LinkedIn, Twitter, GitHub).
