Today the CISA NCCIC-ICS published a control system security
advisory for products from Flexera.
Flexera Advisory
This advisory
describes four vulnerabilities in the Flexera FlexNet Publisher software
license manager. The vulnerabilities were reported by Sergey Temnikov of
Kaspersky. Flexera has a new version that mitigates the vulnerability. There is
no indication that Temnikov has been provided an opportunity to verify the
efficacy of the fix.
The four reported vulnerabilities are:
• Improper input validation (3) - CVE-2018-20031,
CVE-2018-20032 and CVE-2018-20034; and
• Memory corruption - CVE-2018-20033
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an attacker to deny the
acquisition of a valid license for legal use of the product. The memory
corruption vulnerability could allow remote code execution.
Previously Reported
These same four CVE#s were reported
by Schneider in their Floating License Manager back in May 14th,
2019 followed by an NCCIC-ICS advisory
on July 11th, 2019. NIST reported the CVE#s as being in the FlexNet
Publisher on March 25th, 2019 with the following link to the Flexera
advisory (registration required).
The FlexNet Publisher is fairly obviously being used by
Schneider. We have seen this sort of vulnerability pairing between the two
products on multiple occasions. I suspect that other vendors are also using
FlexNet Publisher in their products. Should we be seeing more vulnerabilities
on these 4 CVE’s? Apparently only if other researchers like Temnikov check
other license managers to see if they can see the same problem.
Posts
No comments:
Post a Comment