Summary

A local privilege escalation issue could give passage for exploit on Windows, has been reported on an optional service of FlexNet Publisher (FNP), usually used with trusted storage. If you do not depend on FlexNet Licensing Service, there is no impact to you and no further action on your part.

Please see the Symptoms section for more details.

Symptoms

FlexNet Licensing Service on Windows works with an elevated privilege. The elevated privilege allows reading some information required to protect our customers against license misuse and to protect their Intellectual Property. It is possible to use the elevated privilege of FlexNet Publisher with attack vector for exploit on Windows.

A local authenticated user is required in the attack vector and there is no "remote" (aka network vector) vector on this vulnerability. Through standard security measures, as applied in any local environment, the risk of this vulnerability being exploited is considered low.

Originally, the vulnerability and its report utilized a vector that had been mitigated through a change in the Microsoft Windows 10 operating systems, however, we received further updates from the reporter in January 2021 to indicate the existence of more vectors and thus exposing the vulnerability.

Resolution

A complete solution will be available in the upcoming FlexNet Publisher 2021 R3 (11.18.2) release, which is planned for August 2021. We recommend customers upgrade to this version of FlexNet Publisher.

Additional Information

No additional information at this time.

Related Documents

None at this time.