cancel
Showing results for 
Search instead for 
Did you mean: 

IMPORTANT NOTICE: Possible Security Vulnerability in FlexNet Publisher lmadmin License Server Manager

IMPORTANT NOTICE: Possible Security Vulnerability in FlexNet Publisher lmadmin License Server Manager

Summary

A possible security vulnerability has been reported in the FlexNet Publisher lmadmin License Server Manager.

Synopsis

A possible security vulnerability has been reported in the FlexNet Publisher lmadmin License Server Manager. More specifically, it is possible that a malicious user with access to the internal network could remotely execute arbitrary code under the lmadmin user context. In response, we suggest implementing the following best practices. This remains a theoretical vulnerability only. There have been no reported exploits of this possible vulnerability, and to date it has not been reported by a Flexera Software customer.

Flexera Software will provide a patch for all affected lmadmin platforms by August 12, 2011.

Discussion

This possible vulnerability may affect all versions of the FlexNet Publisher lmadmin License Server Manager shipped since July 2008. All lmadmin supported platforms are potentially affected, even though the behavior could be different on different platforms. It is unlikely that the vendor daemons would be affected.

Potentially Affected lmadmin Platforms

Platforms
  • Windows x86-64 (64-bit) IPv4 and IPv6
  • Mac x86-32/64 (32 & 64 bit) and PPC-32 (32-bit) PPC IPv4 and IPv6
  • Linux x86-32 (32-bit) IPv4 and IPv6
  • Linux x86-64 (64-bit) IPv4 and IPv6
  • Solaris x86-32 (32-bit) IPv4
  • Solaris SPARC-32 (32-bit) IPv4
  • Solaris SPARC-64 (64-bit) IPv4
  • AIX PPC-32 (32-bit) IPv4
  • AIX PPC-64 (64-bit) IPv4
Potentially Affected FlexNet Components
Only the FlexNet Publisher lmadmin License Server Manager, which is offered as part of FlexNet Publisher would be impacted by this potential vulnerability.

License Administrator Best Practices for Mitigating Risk Exposure
The following steps are recommended as License Administrator best practices:
  • Do not use the default 2700 TCP port
  • Run the license server using a least privileged user account.
  • Utilize the recommended security settings offered by the Operating System (OS) vendors that resist the buffer/stack overflow attacks. For example, the Data Execution Prevention (DEP) feature on Windows helps in this regard. Most OS updates also include security features that take advantage of both hardware and software based protection mechanisms against malicious code execution.

FlexNet Publisher lmadmin License Server Manager Mitigation Plan
Flexera Software is urgently addressing this issue and will provide a patch for lmadmin version 11.10 only by August 12, 2011. Lmadmin is backwards compatible and will work with all versions of FlexNet Publisher (9.2 and above).

As soon as the patch is available, we will provide another communiqué on how to get the patch.


Customers will be notified today August 3, 2011 of the possible security vulnerability, affected products and platforms, best practices, and the mitigation plan.

Additional Information

Flexera Software has been notified of two additional potential vulnerabilities with the License Server Manager and has started its investigation. We are proactively notifying you of these additional potential vulnerabilities. We have not yet confirmed whether they exist, and we are not aware of any attempts to exploit any potential vulnerability with the License Server Manager. We will continue to provide further communication regarding these potential vulnerabilities on or before August 17, 2011.

All inquiries should be directed to security@flexerasoftware.com
Was this article helpful? Yes No
No ratings