Elevated Privilege Issue with FlexNet Publisher Licensing Service on Windows

Elevated Privilege Issue with FlexNet Publisher Licensing Service on Windows

Summary

A local privilege escalation issue could give passage for exploit on Windows, has been reported on an optional service of FlexNet Publisher (FNP), usually used with trusted storage. If you do not depend on FlexNet Licensing Service, there is no impact to you and no further action on your part.

Please see the Symptoms section for more details.

Symptoms

FlexNet Licensing Service on Windows works with an elevated privilege. The elevated privilege allows reading some information required to protect our customers against license misuse and to protect their Intellectual Property. It is possible to use the elevated privilege of FlexNet Publisher with attack vector for exploit on Windows.

A local authenticated user is required in the attack vector and there is no "remote" (aka network vector) vector on this vulnerability. Through standard security measures, as applied in any local environment, the risk of this vulnerability being exploited is considered low.

Originally, the vulnerability and its report utilized a vector that had been mitigated through a change in the Microsoft Windows 10 operating systems, however, we received further updates from the reporter in January 2021 to indicate the existence of more vectors and thus exposing the vulnerability.

Resolution

A complete solution will be available in the upcoming FlexNet Publisher 2021 R3 (11.18.2) release, which is planned for August 2021. We recommend customers upgrade to this version of FlexNet Publisher. 

Additional Information

No additional information at this time.

Related Documents

None at this time. 

Labels (2)
Was this article helpful? Yes No
No ratings
Comments

Any news on this topic ?

Is it planned to release patches for previous FNP versions once resolution will be identified ?

Thank you for your feedback

@PierreMarqt , this topic is still under engineering assessment at this point in time. We will have further updates in the coming weeks.

What does "apply sufficient security measures to protect their applications" actually mean?

From FNP 2021 R2 (11.18.1) Release Notes (page 8):

Application Hardening on Windows
Researchers identified an elevated privilege issue related to the FlexNet Licensing Service, an optional FlexNet Publisher component used with trusted storage. It only impacts systems running on Windows.
Originally, the vulnerability and its report utilized a vector that had been mitigated through a change in the Microsoft Windows operating systems. However, we received further updates from the reporter in 2021 to indicate existence of more vectors and thus exposing the vulnerability.
This release contains a application hardening against this vulnerability by adding code to check for the existence of a symbolic link on the C:\ProgramData\FLEXnet. Detection of a symbolic link on these folder or files in this situation results in a system error code "19885" from the FNP API such as Activation APIs and Activation utilities. When the system error "19885" occurs you are advised to check and remove the symbolic link if exist and continue using the product.
(FNP-24995)

Version history
Revision #:
5 of 5
Last update:
‎Jul 26, 2021 01:20 PM
Updated by:
 
Contributors