Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Schneider Electric FLM v2.3.1.0 / FlexNet Publisher 11.6.2 Multiple Vulnerabilities

High

Synopsis

lmadmin.exe Unauthenticated Remote DoS

The communication protocol used in lmadmin.exe for command 0x2f has the following format:

struct msg
{
   int8 type;        // command 0x2f
   int8 hdr_chksum;  // over the 0x14-byte header;
                     // this field is set to 0 for chksum calculation
   be16 data_chksum; // start @ msg_len to the msg end
   be16 msg_len;     // entire msg; including msg hdr
   be16 cmd;         // extended command
   be32 id;
   be32 unk;
   ube16 unk;        
   ube16 flags?;     // 0x1 - more_fragments?
   //end of msg hdr; start of msg data
   byte data[msg_len-0x14];
}; 

After reading a message, if (msg.flags & 0x1) is set the message reading function calls itself again, presumably expecting more message (fragments?) to follow:

.text:004F34B9 140      mov     edx, [ebp+flags]
.text:004F34BF 140      and     edx, 1
.text:004F34C2 140      jz      no_more_fragments
.text:004F34C8 140      mov     eax, [ebp+arg_timeout?]
.text:004F34CB 140      push    eax
.text:004F34CC 144      lea     ecx, [ebp+sebuf]
.text:004F34D2 144      push    ecx
.text:004F34D3 148      mov     edx, [ebp+obj24]
.text:004F34D9 148      mov     eax, [edx]
.text:004F34DB 148      mov     ecx, [ebp+obj24]
.text:004F34E1 148      mov     edx, [eax+4]
.text:004F34E4 148      call    edx ; recursive call
.text:004F34E6 140      test    eax, eax ; the function returns 0xffffffff if there
.text:004F34E6               ; is no more incoming message.
.text:004F34E6               ; This ret value passes the jz check and
.text:004F34E6               ; the code below it continues to execute,
.text:004F34E6               ; eventually resulting in an exception thrown
.text:004F34E6               ; and can cause lmadmin.exe to die.
.text:004F34E8 140      jz      short error

It appears that the function assumes a non-zero return value indicates success. If (msg.flags & 0x1) is set, but a subsequent message is not received, the function can return 0xffffffff which can lead to an exception being thrown. The end result can be process termination.

0:008> kb
ChildEBP RetAddr  Args to Child              
0a32fb88 05718a19 e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x58
0a32fbc8 053e3a4f 0a32fbd8 054156f4 053d147c MSVCR120!_CxxThrowException+0x5b [f:\dd\vctools\crt\crtw32\eh\throw.cpp @ 152]
0a32fbe4 00501072 006a6e3c 0a32fdcc 0a32fc3c MSVCP120!std::_Xlength_error+0x2e [f:\dd\vctools\crt\crtw32\stdcpp\xthrow.cpp @ 19]
WARNING: Stack unwind information not available. Following frames may be wrong.
0a32fbf4 004f3ad7 24b9176e 00000000 08ca2fa0 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x54be2
0a32fc3c 004f4192 0d41cffb 00000014 00000000 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47647
0a32fc64 004f3551 0a32fca0 0d41cffb 00000014 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47d02
0a32fdb8 004f46cf 0a32fdcc 004c4b40 24b91532 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x470c1
0a32fe60 00535ef1 24b915de 09bdfc04 00000000 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x4823f
0a32fe8c 0049a795 00000003 08ca2fe8 0a32feb0 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x89a61
0a32fe9c 00535fed 09bdfbd4 00000003 08ca2fec lmadmin!xalanc_1_11::XalanMemoryManager::getExceptionMemoryManager+0x21965
0a32feb0 005366e0 00000000 08ca2fe8 0a32fecf lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x89b5d
0a32fed0 00536c75 08ca2fe8 0a32ff10 00427adb lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x8a250
0a32fedc 00427adb 08ca2fe8 24b91442 0a32ff68 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x8a7e5
0a32ff10 004f28a2 08ca2fa0 0a32ff44 0063059e lmadmin+0x27adb
0a32ff1c 0063059e 24b91416 00000000 0b924c40 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x46412
0a32ff44 0572c129 08ca2fa0 0af420b6 00000000 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x18410e
0a32ff7c 0572c10d 00000000 0a32ff94 7dd7343d MSVCR120!_callthreadstartex+0x1b [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 381]
0a32ff88 7dd7343d 09346c40 0a32ffd4 7dea9802 MSVCR120!_threadstartex+0x69 [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 359]
0a32ff94 7dea9802 09346c40 59937487 00000000 kernel32!BaseThreadInitThunk+0xe
0a32ffd4 7dea97d5 0572c0cc 09346c40 ffffffff ntdll!__RtlUserThreadStart+0x70

lmadmin.exe Unauthenticated Remote Stack Exhaustion

Because the message reading function calls itself recursively if (msg.flags & 0x1) is set in the received message, an unauthenticated remote attacker can repeatedly send messages with the flag set to cause a stack exhaustion condition:

0:038> g
(1604.f24): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000000b4 ebx=00000000 ecx=028b3114 edx=00000013 esi=00000000 edi=03c8f9e0
eip=6c8816ce esp=028b2fec ebp=028b30b0 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010212
MSWSOCK!_SEH_prolog4_GS+0x1a:
6c8816ce 53              push    ebx
0:008> kb
ChildEBP RetAddr  Args to Child              
028b30b0 41ac673e 000004cd 028b3180 00000000 MSWSOCK!_SEH_prolog4_GS+0x1a
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Schneider Electric\Floating License Manager\FLEXnet Publisher License Server Manager\lmadmin.exe - 
028b3130 005379d8 000004cd 028b3180 00000000 WS2_32!select+0x494
WARNING: Stack unwind information not available. Following frames may be wrong.
028b4194 004f329e 028b4248 00000002 00000000 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x8b548
028b42ec 004f34e6 028b4354 004c4b40 e52adb7e lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x46e0e
028b4438 004f34e6 028b44a0 004c4b40 e52adac2 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47056
028b4584 004f34e6 028b45ec 004c4b40 e52ad996 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47056
028b46d0 004f34e6 028b4738 004c4b40 e52ad75a lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47056
028b481c 004f34e6 028b4884 004c4b40 e52ad62e lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47056
028b4968 004f34e6 028b49d0 004c4b40 e52ad5f2 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47056
028b4ab4 004f34e6 028b4b1c 004c4b40 e52ad346 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47056
028b4c00 004f34e6 028b4c68 004c4b40 e52ad20a lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47056
...
InVision

Solution

Disclosure Timeline

07/29/2019 - Vulnerabilities discovered.
08/15/2019 - Tenable reports the vulnerability to [email protected] 90 days set to November 14, 2019.
08/15/2019 - Tenable receives an automated reply acknowledging receipt and a promised response in "two business days."
08/15/2019 - Schneider assigns SE-1414 and SE-1415.
08/26/2019 - Schneider tells Tenable they are working on it.
08/26/2019 - Tenable thanks Schneider for the update.
08/28/2019 - Schneider indicates Flexera may have a fix. Asks if Tenable is willing to test.
08/28/2019 - Tenable agrees to test.
08/28/2019 - Schneider provides a download link.
08/28/2019 - Tenable tells Schneider that they've successfully downloaded the files.
08/28/2019 - Tenable finds that the software is still vulnerable.
08/29/2019 - Tenable informs Schneider the test version doesn't fix the issues.
09/06/2019 - Schneider targets a Q4 fix and asks about Tenable's disclosure policy.
09/06/2019 - Tenable clarifies the rules around disclosure deadline.
09/20/2019 - Schneider explains the vulnerabilities is in Flexera software and not Schneider software and therefore believe they should be excused from the 90 day disclosure.
09/20/2019 - Tenable agrees.
10/16/2019 - Tenable discloses to [email protected] 90 day is Jan. 14, 2020
11/20/2019 - Flexera notifies Tenable that a patch has been released.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.