- Revenera Community
- :
- FlexNet Publisher
- :
- FlexNet Publisher Knowledge Base
- :
- Elevated Privilege issue discovered in FlexNet Publisher License Server
- Mark as New
- Mark as Read
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Elevated Privilege issue discovered in FlexNet Publisher License Server
Elevated Privilege issue discovered in FlexNet Publisher License Server
Summary
An elevate privilege vulnerability was discovered in the FlexNet Publisher License Server. This article provides details about the vulnerability as well as mitigation and remediation options.
Description
This elevated privilege vulnerability, if exploited, may allow bypassing the lmgrd -2 -p -local option used to restrict license server administration to a local license administrator. The impact of this could result in license server disruption by an unauthorized user. All versions of FlexNet Publisher are susceptible to this issue.
Workaround
Producers may use the -x license server option to mitigate the issue. The -x option disables certain commands to be executed on the lmgrd/vendor daemon. It can only be applied to lmdown and lmremove commands:
- -x lmdown option disables lmdown command on the lmgrd, preventing unauthorized license server shutdowns.
- -x lmremove option disables lmremove command on the vendor daemon.
We recommend users review the License Server Manager “lmgrd” section of the FlexNet Publisher License Administration Guide for details about the -x option. This document is available for download from the Product and License Center.
Resolution
This vulnerability is remediated in FlexNet Publisher 2022 R3 (11.19.2.0) or greater. Users will need to upgrade their lmgrd to this version or higher.
Additional Information
Revenera knows of no exploits of this vulnerability in production deployments.
For identifying this vulnerability and disclosing it to Revenera under a responsible disclosure process, we'd like to thank the team members at Rapid7.