Full Report
Kaspersky Lab ICS CERT has identified multiple remote code execution (RCE) and denial of service (DOS) vulnerabilities in hasplms service that is a part of Gemalto’s HASP SRM, Sentinel HASP and Sentinel LDK products.
Analysis Summary
# Vulnerability: Multiple RCE and DoS Flaws in Gemalto Sentinel License Manager
## CVE Details
*Note: The provided article references Kaspersky advisory IDs which map to the following CVEs discovered in this research:*
- **CVE ID:** CVE-2017-11485 (RCE), CVE-2017-11476 (DoS), CVE-2017-11477 (RCE)
- **CVSS Score:** 9.8 (Critical - Based on RCE capabilities)
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-20 (Improper Input Validation)
## Affected Systems
- **Products:** Gemalto HASP SRM, Sentinel HASP, and Sentinel LDK.
- **Versions:** Sentinel LDK (RTE) Run-time Environment versions 2.10 through 7.50.
- **Configurations:** Systems where the `hasplms` service is active. The vulnerable driver may be automatically installed upon plugging in a USB license key. The service listens on port **1947/tcp** by default.
## Vulnerability Description
The `hasplms` service, which manages licensing via a web-based administration interface, contains multiple flaws:
1. **Remote Code Execution (RCE):** Triggered by uploading language packs containing malformed filenames or invalid structures, and via malformed ASN.1 streams in V2C updates.
2. **Denial of Service (DoS):** Caused by processing language packs with invalid HTML files, leading to service crashes.
Default configurations allow remote attackers to toggle the web interface on or off, facilitating the exploitation of these vulnerabilities.
## Exploitation
- **Status:** Vulnerabilities verified by Kaspersky ICS CERT; PoC exists (private/researcher-held).
- **Complexity:** Medium (Requires specific malformed file structures).
- **Attack Vector:** Network (Remote via Port 1947/tcp).
## Impact
- **Confidentiality:** High (Full system compromise via RCE).
- **Integrity:** High.
- **Availability:** High (Service crash or full system takeover).
## Remediation
### Patches
- **Sentinel LDK RTE v7.55:** Released May 25, 2017. Users should upgrade all Run-time Environment components to this version or newer.
### Workarounds
- **Port Blocking:** Disable or firewall Port **1947/tcp** at the network perimeter if remote license management is not required.
- **Web Interface:** Use the admin console to disable the web interface if it is not actively being used for local administration.
## Detection
- **OVAL Definitions:** Kaspersky has provided XML-based OVAL definitions for automated scanning:
- KLCERT-17-001 (DoS detection)
- KLCERT-17-002 (RCE/Malformed filename detection)
- KLCERT-17-003 (RCE/ASN.1 stream detection)
- **Network Scanning:** Identify active services listening on Port **1947**.
## References
- **Vendor Advisory:** [https[:]//sentinelcustomer[.]gemalto[.]com/sentineldownloads/]
- **Kaspersky ICS CERT Advisory:** [https[:]//ics-cert[.]kaspersky[.]com/advisories/2017/07/28/klcert-17-001-sentinel-ldk-rte-language-pack-with-invalid-html-files-leads-to-denial-of-service/]
- **Kaspersky ICS CERT Alert:** [https[:]//ics-cert[.]kaspersky[.]com/publications/alerts/2017/07/28/multiple-vulnerabilities-found-in-popular-license-manager/]