| FNAL Critical Vulnerability Product: FlexNet (FlexLM) License Server Patch By: As soon as your vendor offers a patch Host Remediation: Upgrade FlexNet License Server; configure local firewall to prevent license server access to/from specific nodes; run the license server as an unprivileged user; migrate the local license manager to the central license manager server FNAL Site Actions: FlexNet/FlexLM installations cannot offer the license services to the Internet. Local firewalls or other access controls must be implemented locally to prevent exposure of the license manager service outside of the FNAL network Multiple vulnerabilities have been announced for the FlexNet License Server (FlexLM), a license manager used in many products such as Matlab, TeamCenter and other Engineering/CAD software. One is a buffer overflow that might lead to arbitrary code execution. The second appears to be easier exploit from the Internet which can lead to arbitrary directory traversal, file overwrite and file execution via saving and loading of log files. Flexera's web site indicates a patch will be made available on 09/30/2011 for tier 1 platforms. However, patches typically cannot be obtained directly from Flexera. Instead, each software publisher must update their applications and products. Please contact your software publisher or application vendor for updates to your applications. In addition, apply one or more of the Host Remediations listed at the top of this notice. Since the software publishers can define their own port number for license manager use, FNAL Computer Security cannot easily implement a border block. Also, since it is up to each software publisher to integrate the patches into their applications and products, FNAL Computer Security cannot set a patch-by date. To mitigate the threat of unpatched license manager installations, exposing or offering the license manager service to the Internet is prohibited. Fermilab Computer Security will begin scanning for license manager services exposed to the Internet at the end of September, resulting in TIssue warning notices and possibly nodes being blocked from the network. More information from Flexera: http://www.flexerasoftware.com/pl/12982.htm http://www.flexerasoftware.com/pl/13057.htm |
|
For
assistance contact servicedesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by FJN on October 7, 2008. (Address comments about page to the Computer Security Team.) |