FlexNet Inventory Agent and Inventory Beacon Vulnerability Update IOJ-2210678

FlexNet Inventory Agent and Inventory Beacon Vulnerability Update IOJ-2210678

Executive Summary

A potential vulnerability exists in FlexNet inventory agent and inventory beacon versions 2020 R2.5 and earlier installations on Microsoft Windows. The vulnerability can potentially allow locally authenticated users to modify otherwise restricted files. The gain of further local privileges has not been reported. However, out of an abundance of caution, Flexera will not rule this out.

To address the potential vulnerability, Flexera quickly established mitigations through the security update IOJ-2210678 for the FlexNet inventory agent and inventory beacon version 2021 R1 release.

CVE Identifier

Exploitability Assessment

Publicly disclosed? No

Exploited? No known exploits

Cause

For security reasons, beyond the described vector and impact, Flexera will not publish further details regarding the cause of this potential vulnerability.

Rating

The potential vulnerability has been rated with a CVSS (Common Vulnerability Scoring System) version 3.1 base score of 7.8.

Please be aware that the CVSS version 3.1 and its automatic calculation of the CVSS scoring based on the CVSS metrics are known to have scaling issues such that potential vulnerabilities frequently end up in the higher-scoring brackets.

Flexera’s internal vulnerability analysis and assessment team “Secunia Research” assigned a criticality rating of “Less Critical”, which is the second-lowest “Secunia Research” criticality rating on a scale of 5 criticality ratings (from “Not Critical” through “Extremely Critical”)

Steps to Reproduce

For security reasons, Flexera will not publish the steps to reproduce this security vulnerability.

Resolution

Flexera has updated the Windows FlexNet inventory agent and inventory beacon for 2021 R1, resolving this vulnerability as detailed in security update IOJ-2210678. Flexera recommends upgrading FlexNet inventory agent and inventory beacon versions 2020 R2.5 and earlier to version 2021 R1 or later.

On-premises customers

Please download the updated FlexNet inventory agent and inventory beacon version 2021 R1 available through the Product and License Center (Flexera Community > More > Product and License Center). Updates are available for inventory beacon versions 2018 R1 and later, as shown in the following table. (For FlexNet Manager Suite versions older than 2018 R1, Flexera recommends upgrading to the latest version of FlexNet Manager Suite.)

Note: The FlexNet inventory agent and inventory beacon update packages are backward compatible with earlier versions, as shown in the table below, and can be used for these upgrades.

Beacon upgrade settings

You may also need to update the properties of each inventory beacon (Discovery & Inventory > Network > Beacons, click through to open the properties of an inventory beacon, and in the General tab, set Upgrade mode). Your connected inventory beacons then automatically upgrade after their next policy update.

If you have Beacon version approved for use set to "Always use the latest version", the security patch is already applied automatically to your connected inventory beacons (those that download policy and upload inventory automatically). If you have any disconnected inventory beacons, use your normal method to upgrade those to version 17.0.1 or later.

If you have the approved beacon version set to anything earlier than 17.0.1, you should change this setting to version 17.0.1 or later.

Inventory agent for automatic deployment

• If you are using FlexNet Manager Suite 2019 R1 or later for FlexNet inventory agent upgrade,  You can set the version to deploy to 17.0.1 and upgrade mode and platform options to an appropriate mode and platform you like to upgrade.

If you are using FlexNet Manager Suite 2018 R1 OR 2018 R2 for FlexNet inventory agent upgrade, you can set the inventory agent upgrade by following the instruction in the upgrade guide

.\ConfigureSystem.exe select-agent-upgrade --version versionString

• Configure Updates to Inventory Agents (FNMS 2018 R1 on Premises)
• Configure Updates to Inventory Agents (FNMS 2018 R2 on Premises)

Note: This FlexNet inventory agent security update is for FlexNet inventory agent for the Windows platform. The update contains FlexNet inventory agent for other platforms to provide a consistent inventory agent version in your environment.

 SaaS customers

Your action depends on your current settings in Discovery & Inventory > Settings  

1. Beacon settings (Beacon version approved for use)
2. Inventory agent for automatic deployment (Configured version to deploy/upgrade)

Beacon settings

• If you have Beacon version approved for use set to "Always use the latest version", the security patch is already applied automatically to your connected inventory beacons (those that download policy and upload inventory automatically). If you have any disconnected inventory beacons, use your normal method to upgrade those to version 17.0.2.41 or later.
• If you have the approved beacon version set to anything earlier than 17.0.2.41, you should change this setting to version 17.0.2.41 or later. You may also need to update the properties of each inventory beacon (Discovery & Inventory > Network > Beacons, click through to open the properties of an inventory beacon, and in the General tab, set Upgrade mode). Your connected inventory beacons then automatically upgrade after their next policy update.

Inventory agent for automatic deployment

• If you are using FlexNet Manager Suite 2019 R1 and later for FlexNet inventory agent upgrade,  You can set the version to deploy to 17.0.2 and upgrade mode and platform options to an appropriate mode and platform you like to upgrade.

Note. All the previous releases of the inventory agent and inventory beacon have been deprecated in FlexNet Manager Suite for cloud customers, including inventory agent for non-windows supported operating systems, we recommend our customers to use the latest available release of inventory agent and inventory beacon for future deployments and upgrades.

Manual upgrade (on-premises and SaaS)

If you decided to upgrade an inventory beacon manually, please disable the inventory beacon auto-upgrade through the beacon properties before upgrading manually. If you don't modify the settings for automatic upgrades, the next update of beacon policy reverts the inventory beacon back to the previous setting.

Where to deploy (on-premises)

FlexNet inventory agent and inventory beacon update IOJ-2210678 need to be deployed on the web application server and inventory server. In the case of a single server implementation of FlexNet Manager Suite, the update only needs to be run once. In the case of a multi-box implementation (where the web application server and the inventory server are separate servers), the update needs to be run on both the web application server and the inventory server. For detailed instructions, please follow the readme.txt file shipped with the update.

Single server implementation

1. Web application server + inventory server combined (apply the update once)

Multi-server implementation

1. Web application server (apply update)
2. Inventory server (apply update)

Acknowledgment

A Flexera customer identified the potential vulnerability.

Applies to

FlexNet Manager Suite On-Premises, Multi-tenant (including Cloud) installations on Microsoft Windows FlexNet inventory agent and inventory beacon version 2020 R2.5 and earlier.

Security Best Practices

Regardless of the limited vector the potential vulnerability provides, Flexera would like to take the opportunity to remind customers, that basic security best practices in conjunction with the FlexNet inventory agent and inventory beacon installation and use should be followed.

• FlexNet inventory agent, inventory beacon, and FlexNet Manager Suite server communication should be secured using HTTPS.
• Privileges to access Flexera's products, their components, the systems they run on and utilized networks should be granted on a least (minimal) privilege basis.

References

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H&vers...