A Denial of Service vulnerability was discovered, on Certain message protocol in FlexNet Publisher's lmadmin 11.16.6. Please see the Symptoms section for more details.
If you do not distribute lmadmin to your customers, there is no further action on your part. If you do, you must distribute to those same customers the security update mentioned in the Resolution section of this article.
Symptoms
**** Only the following information is permitted to be distributed to users of products enabled with FlexNet Publisher:
- CVE number (if available)
- CWE ID
- CVSS scores
- Any publicly available information
****
Certain message protocol in FlexNet Publisher lmadmin is unable to validate its message data. Such messages can cause lmadmin to crash. This vulnerability has been assigned the ID of CVE-2020-12080. The CVSSv3 base score for this vulnerability is 6.5; that is, medium severity.
Resolution
The FlexNet Publisher 11.17.0 and later address the security vulnerability and will be available on Flexera’s Product and License Center. We advise all FlexNet Publisher customers update lmadmin.exe to FlexNet Publisher 11.17.0 or later. As good practice, we advise customers to expose lmadmin to only a trusted network. This will reduce the attack vector to only those attackers who have access to that trusted network.
Additional Information
For identifying this vulnerability and disclosing it to Flexera under a responsible disclosure process, we'd like to thank Tenable, Inc.
