Full Report
In addition to Schneider Electric, security issues affect products from AVEVA Vijeo Citect and Citect SCADA
Analysis Summary
Given the context provided and the historical data associated with the Schneider Electric Floating License Manager (FlexNet Publisher) vulnerabilities disclosed in mid-2019, here is the summary of the security flaws affecting Schneider Electric, AVEVA Vijeo Citect, and Citect SCADA.
# Vulnerability: Multiple Flaws in Schneider Electric Floating License Manager (FlexNet Publisher)
## CVE Details
- **CVE ID:** CVE-2018-20031, CVE-2018-20032, CVE-2018-20033, CVE-2018-20034
- **CVSS Score:** 9.8 (Critical) - Highest assigned score among the group.
- **CWE:** CWE-121 (Stack-based Buffer Overflow), CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer).
## Affected Systems
- **Products:**
- Schneider Electric Floating License Manager
- AVEVA Vijeo Citect
- Citect SCADA
- **Versions:**
- Floating License Manager: Versions prior to v2.3.0.0.
- Software utilizing FlexNet Publisher (lmgrd) components versions 11.16.1.0 and earlier.
- **Configurations:** Systems configured to use network-based floating licenses where the license server is exposed to the network.
## Vulnerability Description
The vulnerabilities exist within the **FlexEra FlexNet Publisher** component used by Schneider Electric and AVEVA products for license management. Specifically, the `lmgrd` and vendor-specific daemons contain several buffer overflow vulnerabilities. These flaws reside in the message parsing logic; an attacker can send specially crafted packets to the license server manager, leading to a stack-based buffer overflow.
## Exploitation
- **Status:** PoC tools have been developed; no widespread exploitation in the wild at the time of initial disclosure.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Potential for unauthorized data access if shell access is gained)
- **Integrity:** High (Potential for unauthorized modification of license data or system files)
- **Availability:** High (Can lead to service crashes or total system takeover)
## Remediation
### Patches
- **Schneider Electric:** Upgrade Floating License Manager to version **v2.3.0.0** or later.
- **AVEVA/Citect:** Apply the hotfix or upgrade to the version of Vijeo Citect/Citect SCADA that incorporates the updated FlexNet Publisher binaries (11.16.2 or higher).
### Workarounds
- **Network Segmentation:** Place license servers behind a firewall and restrict access to authorized clients only.
- **Port Filtering:** Restrict access to default ports used by FlexNet (typically TCP ports 27000-27009 and the specific vendor daemon port).
- **Least Privilege:** Run the License Manager service under a low-privilege user account rather than "LocalSystem" or "Administrator."
## Detection
- **Indicators of Compromise:** Unusual crashes of the `lmgrd.exe` or `SNI_LMM.exe` processes; unexpected outbound network traffic from the license server.
- **Detection Methods:** Use IDS/IPS signatures to monitor for malformed FlexNet license request packets. Monitor system logs for unexpected process execution originating from the license manager service.
## References
- Schneider Electric Advisory (SEVD-2019-134-01): hxxps[://]www[.]se[.]com/ww/en/download/document/SEVD-2019-134-01/
- Kaspersky ICS-CERT: hxxps[://]ics-cert[.]kaspersky[.]com/advisories/klcas-2019-003/
- ICS-CERT (CISA) Advisory ICSA-19-134-02: hxxps[://]www[.]cisa[.]gov/news-events/ics-advisories/icsa-19-134-02