Summary

A vulnerability has been reported in FlexNet Publisher, which can be exploited by malicious, local users to potentially gain escalated privileges. 1) A boundary error related to a named pipe within the FNLS (FlexNet Publisher Licensing Service) can be exploited to cause an out-of-bounds memory read access. Successful exploitation may allow execution of arbitrary code with SYSTEM privileges. The vulnerability is reported in versions prior to 11.14.1.1 (FlexNet Publisher 2016 R2 SP1) running FlexNet Publisher Licensing Service on Windows platform.

Symptoms

****
Only the following information is permitted to be distributed outside of Revenera and customers of FlexNet Publisher"
- CVE number
- CWE ID
- CVSS scores
- The text in the Workaround section
- Reference to any publicly available documentation
****

A vulnerability has been reported in FlexNet Publisher, which might be exploited by malicious, local users to potentially gain escalated privileges.

- An Out-of-bounds Read (CWE-125) in the Windows FlexeNet Publisher Licensing Service could theoretically be used to alter program flow.
- Successful exploitation may allow execution of arbitrary code with SYSTEM privileges.

Depending upon the license model(s) you offer to your customers, you may or may not distribute this component to one or more of your customers. If you do not distribute this component, there is no further action on your part. If you do, you must distribute to those same customers the security update mentioned in the Resolution section of this article.

Affected Platforms/Components

- All Microsoft Windows versions of the FlexeNet Publisher Licensing Service (FNLS) before version 11.14.1.1

- The FNLS should not be confused with lmadmin or lmgrd running as a service

- The FNLS is typically installed using API calls to fnpActSvcInstallWin or by executing installanchorservice.exe or some derivative of the same.

- Non-Windows platforms are unaffected

*NOTES:

• FNLS (FlexNet Publisher Licensing Service) is an optional Windows service required for customers implementing Trusted Storage features in their products.
• All Trusted Storage customers on versions prior to 11.14.1.1 are impacted by this vulnerability.
• Starting with 11.14.1.0 (FlexNet Publisher 2016 R2) certificate users, who also implement (optional) virtualization features, are impacted due to a dependency on FNLS.
• Customers using certificate licensing on versions prior to 11.14.1.0 are not impacted since they do not have a dependency on FNLS.
• This does not affect lmgrd or lmadmin in any way even when they are run as a service.

Criticality Rating (by "Secunia Research" at Flexera): ?Less Critical?
Secunia CVSS Scores: Base: 6.8, Overall: 5.0 (AV:L/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)

CVSS version 2 metric and score:

https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:L/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)

CVSS version 3 metric and score:

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

To understand the potential consequences of this vulnerability, see the Common Consequences section of CWE-125: ?Out-of-bounds Read?

(Common Weakness Enumeration). Discovery was through a third party researcher contacting Flexera Software.

This security vulnerability has been assigned to the CVE ID number of CVE-2016-10395.
The CWE-ID number that is suitable for the root cause is ?Out-of-bounds Read?: CWE-125

https://cwe.mitre.org/data/definitions/125.html

Cause

See "Steps to Reproduce" section

Steps To Reproduce

For security reasons, Revenera will not publish the steps to reproduce this security vulnerability.

Revenera was in contact with the original research team that discovered this security vulnerability, but Revenera did not participate in the publishing of these articles.

Resolution

Fixed in version 11.14.1.1 (FlexNet Publisher 2016 R2 SP1)

Resolution is to upgrade FlexNet Licensing Service (FNLS) to the latest version (which is currently 11.14.1.2).
This can be done independently of other licensing components.

Detailed Steps to Upgrade FNLS:

• Download the appropriate Windows toolkit for version 11.14.1.2 (FlexNet Publisher 2016 R2 SP2 from the Product & Licensing Center.

• The toolkit contains two sample programs that install and uninstall the FlexNet Licensing Service using

fnpActSvcInstallWin and fnpActSvcUninstallWin functions of the FlexNet Licensing Service API:

? installanchorservice.exe

? uninstallanchorservice.exe

These files are located in the <platform_dir> directory of the toolkit. The source code is available in

\examples\anchor_service. These executables must be run as an Administrative user.

• The Windows toolkit contains example InstallShield project files that you can use to create your own installer for the
  FlexNet Licensing Service.

These files are located in the <platform_dir>\examples\serviceinstall directory.
See the Readme file for information on how to use the example project files.

For additional information please consult the Programming Reference for Trusted Storage?Based Licensing

Workaround

Upgrade the FlexNet Licensing Service (FNLS) component to version 11.14.1.2 (FlexNet Publisher 2016 R2 SP2)

Note: This is now the current version available - recommendation is to use the latest available at the time of update.

Additional Information

• A link to the community representation of the Secunia Advisory SA76368:
  https://secuniaresearch.flexerasoftware.com/advisories/76368/
• A link to the terminology, which explains the criticality ratings and impacts used in this advisory:
  https://secuniaresearch.flexerasoftware.com/community/advisories/terminology/

Related Documents

Secunia Advisory ID: SA76368 (attached)