Title

CVE-2015-8277 Remediated in FlexNet Publisher

Summary

CVE-2015-8277 has been discovered and remediated in FlexNet Publisher

Symptoms

****Only the following information is permitted to be distributed outside of Flexera Software and customers of FlexNet Publisher:
- CVE number
- CWE ID
- CVSS scores
- The text in the Workaround section
- Reference to any publicly-available information
****

This vulnerability exists on all platforms in all supported versions of the following FlexNet Publisher components:

lmgrd executable, provided by Flexera Software
vendor daemon executable, built by each FlexNet Publisher customer from object code provided by Flexera Software

Depending upon the license model(s) you offer to your customers, you may or may not distribute one or both of these components to one or more of your customers. If you don?t distribute either of these components, there is no further action on your part. If you do, you must distribute to those same customers the security update mentioned in the Resolution section of this article.

To understand the potential consequences of this vulnerability, see the Common Consequences section of CWE-120 (Common Weakness Enumeration). None of these consequences have been observed outside of test laboratory conditions.

This security vulnerability has been assigned the CVE ID number of CVE-2015-8277.

The CVSS base score for this vulnerability is 7.6.

Cause

For the cause of this vulnerability, see the Description section of CWE-120 (Common Weakness Enumeration).

Steps To Reproduce

For security reasons, Flexera Software will not publish the steps to reproduce this security vulnerability.

During the week of 22-Feb-2016, the following two articles were published by a security researcher:

Flexera Software was in contact with the original research team that discovered this security vulnerability, but Flexera Software did not participate in the publishing of these articles.

Resolution

As of 20-Nov-2015, the following security update is available from Flexera Software?s Product and License Center (https://flexerasoftware.flexnetoperations.com/control/inst/login?nextURL=%2Fcontrol%2Finst%2Findex):

FlexNet Publisher 2015 Security Update 1

This vulnerability was published by the US-CERT on 22-Feb-2016 here: https://www.kb.cert.org/vuls/id/485744

As a reminder, Flexera Software no longer distributes the lmgrd executable to your customers; your customers can only receive the lmgrd executable from you.

Workaround

Under only highly-customized environments would one of your customers expose the lmgrd or vendor deamon executables to the internet. If one of your customers exposes either of these components to the internet, then a partial workaround is to advise them to expose them to only a trusted network until they can be patched. Exposing either of these components to the internet raises the CVSS base score of this vulnerability to 9.0.

License Administrator Best Practices for Mitigating Risk Exposure

The following steps are recommended as License Administrator best practices to help protect against this and other security vulnerabilities:

Utilize the recommended security settings offered by the Operating System (OS) vendors that resist the buffer/stack overflow attacks. For example, the Data Execution Prevention (DEP) feature on Windows helps in this regard. Most OS updates also include security features that take advantage of both hardware and software based protection mechanisms against malicious code execution.
Launch lmgrd and vendor daemon executables using a least privileged security level
Limit access to only administrative users by launching lmgrd with the '-2 ?p' command-line option unless you are using FlexNet Manager for Engineering Applications. Refer to the product documentation for limitations related to usage of this command-line option.
Do not use the default 27000-27009 TCP ports for lmgrd (this only inhibits a hacker who doesn?t use an intelligent port scanning tool)

Additional Information

A security research team employed by a user of a FlexNet Publisher-licensed software application discovered this security vulnerability as part of their new penetration testing initiative. To our knowledge, only that security research team had knowledge of the vulnerability at the time of they disclosed it.

This vulnerability was not detected by the source code scanning tools and executable code scanning tools continuously used by Flexera Software.

Related Documents

https://cwe.mitre.org/data/definitions/120.html
https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:A/AC:M/Au:N/C:C/I:C/A:P)
https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:P)

Was this helpful?

Support Hub

Product

FlexNet Publisher

Visibility

Guest

URL Name

cve-2015-8277-remediated-in-flexnet-publisher

Are you sure you want to cancel the case creation?

Case closed successfully

Action performed successfully

Upload Attachment

Maximum file size allowed is 3 MB.

File type not supported.

Supported file types:

Documents (.txt, .doc, .docx, .pdf), Images (.jpg, .png), Comma Separated Files (.csv) Speadsheets (.xlsx, .xls)

Are you sure you want to close this case

Get Hotline support

Products	Region	Phone Numbers
FlexNet Operations FlexNet Embedded FlexNet Publisher FlexNet Connect FlexNet Code Insight InstallAnywhere InstallShield	North America *	+1 630-332-2513 (toll) +1 877-279-2853 (toll-free in North America)
	Europe *	+44 1925 944367 (toll) +44 800 047 8642 (toll-free in Europe)
	Japan *	+81 3-4540-5335 (select option 2)
	Australia *	+61 3 9895 2177 +61 1800 560 603 (toll-free in Australia)
Usage Intelligence (formerly Revulytics) Compliance Intelligence	Please use the Case Portal to submit your support ticket or reach out to your Revenera contact.