Elevated Privilege issue discovered in FlexNet Publisher License Server

Summary

An elevate privilege vulnerability was discovered in the FlexNet Publisher License Server. This article provides details about the vulnerability as well as mitigation and remediation options.

Description

This elevated privilege vulnerability, if exploited, may allow bypassing the lmgrd -2 -p -local option used to restrict license server administration to a local license administrator. The impact of this could result in license server disruption by an unauthorized user. All versions of FlexNet Publisher are susceptible to this issue.

Workaround

Producers may use the -x license server option to mitigate the issue. The -x option disables certain commands to be executed on the lmgrd/vendor daemon. It can only be applied to lmdown and lmremove commands:

• -x lmdown option disables lmdown command on the lmgrd, preventing unauthorized license server shutdowns.
• -x lmremove option disables lmremove command on the vendor daemon.

We recommend users review the License Server Manager “lmgrd” section of the FlexNet Publisher License Administration Guide for details about the -x option. This document is available for download from the Product and License Center.

Resolution

This vulnerability is remediated in FlexNet Publisher 2022 R3 (11.19.2.0) or greater. Users will need to upgrade their lmgrd to this version or higher.

Additional Information

Revenera knows of no exploits of this vulnerability in production deployments.

For identifying this vulnerability and disclosing it to Revenera under a responsible disclosure process, we'd like to thank the team members at Rapid7.