Flexera has an upgrade available to mitigate improper input validation and memory corruption vulnerabilities in its FlexNet Publisher, according to a report from CISA.

These remotely exploitable vulnerabilities could allow an attacker to deny the acquisition of a valid license for legal use of the product. The memory corruption vulnerability could allow remote code execution.

A software license manager, FlexNet Publisher Version 2018 R3 and prior suffer from the vulnerabilities, discovered by Sergey Temnikov of Kaspersky.

In one issue, a vulnerability related to preemptive item deletion in lmgrd and vendor daemon components allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon to stop and the vendor daemon to shut down.

Schneider Bold

CVE-2018-20031 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

In addition, a vulnerability related to message decoding in lmgrd and vendor daemon components allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon to stop and the vendor daemon to shut down.

CVE-2018-20032 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

Also, there is a vulnerability in lmgrd and vendor daemon components that could allow a remote attacker to corrupt the memory by allocating/deallocating memory, loading lmgrd or the vendor daemon, and causing the heartbeat between lmgrd and the vendor daemon to stop. This would force the vendor daemon to shut down. The vulnerability could also allow remote code execution. No exploit of this vulnerability has been demonstrated.

CVE-2018-20033 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In addition, a vulnerability related to adding an item to a list in lmgrd and vendor daemon components allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon to stop and the vendor daemon to shut down.

CVE-2018-20034 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

The product sees use mainly in the information technology sector, and it sees action on a global basis.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

Flexera recommended all users using affected versions of FlexNet Publisher upgrade to Version 2018 R4 or newer as soon as possible. The updates can be obtained with a customer account (login required).

Click here for more information on this issue.

Pin It on Pinterest

Share This