Vulnerabilities > CVE-2019-8960 - Improper Check for Unusual or Exceptional Conditions vulnerability in Flexera Flexnet Publisher 11.16.2

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
flexera
CWE-754
nessus

Summary

A Denial of Service vulnerability related to command handling has been identified in FlexNet Publisher lmadmin.exe version 11.16.2. The message reading function used in lmadmin.exe can, given a certain message, call itself again and then wait for a further message. With a particular flag set in the original message, but no second message received, the function eventually return an unexpected value which leads to an exception being thrown. The end result can be process termination.

Vulnerable Configurations

Part Description Count
Application
Flexera
1

Nessus

NASL familyMisc.
NASL idFLEXNET_PUBLISHER_11_16_5_1_MULTI_VULNS.NASL
descriptionThe Flexera FlexNet Publisher license server manager running on the remote host is affected by multiple vulnerabilities : - A denial of service (DoS) vulnerability exists in lmadmin due to improper handling of message fragments. An unauthenticated, remote attacker can exploit this issue, via a series of specially crafted messages, to cause the process to terminate. (CVE-2019-8960) - A denial of service (DoS) vulnerability exists in lmadmin due to stack exhaustion when receiving message fragments. An unauthenticated, remote attacker can exploit this issue, via a series of specially crafted messages, to cause the process to terminate. (CVE-2019-8961)
last seen2020-06-01
modified2020-06-02
plugin id133090
published2020-01-20
reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/133090
titleFlexera FlexNet Publisher lmadmin < 11.16.5.1 Multiple Vulnerabilities
code

include("compat.inc");

if (description)
{
  script_id(133090);
  script_version("1.2");
  script_cvs_date("Date: 2020/01/21");

  script_cve_id("CVE-2019-8960", "CVE-2019-8961");
  script_xref(name:"TRA", value:"TRA-2019-49");

  script_name(english:"Flexera FlexNet Publisher lmadmin < 11.16.5.1 Multiple Vulnerabilities");
  script_summary(english:"Checks response from the license server manager.");

  script_set_attribute(attribute:"synopsis", value:
"A licensing application running on the remote host is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The Flexera FlexNet Publisher license server manager running on the
remote host is affected by multiple vulnerabilities : 

  - A denial of service (DoS) vulnerability exists in lmadmin due to
    improper handling of message fragments. An unauthenticated,
    remote attacker can exploit this issue, via a series of specially
    crafted messages, to cause the process to terminate. 
    (CVE-2019-8960)

  - A denial of service (DoS) vulnerability exists in lmadmin due to
    stack exhaustion when receiving message fragments. An
    unauthenticated, remote attacker can exploit this issue, via a
    series of specially crafted messages, to cause the process to
    terminate. (CVE-2019-8961)");
  # https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8960-remediated-in-FlexNet-Publisher/ta-p/124598
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?53057bf9");
  # https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8961-remediated-in-FlexNet-Publisher/ta-p/124601
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b43c22ce");
  script_set_attribute(attribute:"solution", value:
"Upgrade to FlexNet Publisher 11.16.5.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-8960");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/11/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/20");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:flexerasoftware:flexnet_publisher");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("flexnet_publisher_detection.nbin");
  script_require_keys("Services/flexnet_publisher");

  exit(0);
}

include('audit.inc');
include('byte_func.inc');
include('global_settings.inc');
include('misc_func.inc');
include('dump.inc');
include('spad_log_func.inc');

function save_kbs(lm, port)
{
  set_kb_item(name:'flexnet_publisher/' + lm, value:TRUE);
  set_kb_item(name:'flexnet_publisher/' + lm + '/' + port, value:TRUE);
  set_kb_item(name:'flexnet_publisher/' + port, value:lm);
}

port = get_service(svc:'flexnet_publisher', default:27000, exit_on_fail:TRUE);
soc = open_sock_tcp(port);
if(! soc) audit(AUDIT_SOCK_FAIL, port);

# FLEX_MSG_HELLO with 'communication revision' 0x7f splitted into 2 msg fragments
frag1 = raw_string(
  0x2F, 0x6A, 0x1E, 0xBE, 0x00, 0x15, 0x01, 0x02,
  0x00, 0x00, 0x12, 0x34, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x01, 0x01
);

frag2 = raw_string(
  0x2F, 0xB7, 0x07, 0x14, 0x00, 0x24, 0x01, 0x02,
  0x00, 0x00, 0x12, 0x34, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x7F, 0x0B, 0x10, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0xD2, 0x00,
  0x00, 0x00, 0x00, 0x00
);

req = frag1 + frag2;

# Log requests and responses for debugging
spad_log(message:'request: \n' + hexdump(ddata:req));
send(socket:soc, data:req);

res = recv(socket:soc, length:0x100);
close(soc);
if(isnull(res)) audit(AUDIT_RESP_NOT, port);

spad_log(message:'response: \n' + hexdump(ddata:res));

# Patched lmadmin does not seem to support message fragmentation.
# It sees two malformed messages. It returns a LM_WHAT (0x57).
#
# 0x00:  57 57 00 00 00 00 00 00 00 00 00 00 00 00 00 00    WW..............
# 0x10:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
# *
# 0x90:  00 00 00
if(strlen(res) == 0x93 && res[0] == '\x57')
{
  # lmgrd is not affected. It supports message fragmentation, but
  # it uses a loop (instead of recursion) to read msg fragments.
  # When seeing a higher comm revision in FLEX_MSG_HELLO, lmgrd
  # returns a LM_WHAT msg with error code -83 
  # (Server FLEXlm version older than client's).
  #
  # 0x00:  57 EF 2D 38 33 00 00 00 00 00 00 00 00 00 00 00    W.-83...........
  # 0x10:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
  # *
  # 0x90:  00 00 00
  # 
  if(substr(res,2,4) == '-83')
    lm = 'lmgrd';
  else
    lm = 'lmadmin';

  save_kbs(port:port, lm:lm);
  audit(AUDIT_LISTEN_NOT_VULN, 'Flexnet Publisher (' + lm + ')', port);
}
# Vulerable lmadmin supports message fragmentation.
# It returns a 0x93-byte LM_OK (0x4F).
#
# 0x00:  4F FA 31 31 00 00 00 00 00 00 00 00 00 31 36 00    O.11.........16.
# 0x10:  00 00 00 00 00 00 00 00 20 31 00 00 00 00 00 00    ........ 1......
# 0x20:  00 00 00 00 34 00 00 00 00 00 00 00 00 00 00 77    ....4..........w
# 0x30:  32 6B 31 32 72 32 2D 76 6D 32 00 00 00 00 00 00    2k12r2-vm2......
# 0x40:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
# *
# 0x90:  00 00 00
else if (strlen(res) == 0x93 && res[0] == '\x4F')
{
  save_kbs(port:port, lm:'lmadmin');
  security_report_v4(port: port, severity: SECURITY_WARNING);
}
else
  audit(AUDIT_RESP_BAD, port, 'a fragmented FLEX_MSG_HELLO message. Response: \n' + hexdump(ddata:res));