Full Report
Language pack (ZIP file) with invalid HTML files lead to NULL pointer access. Remote attacker can create language pack file on their own with invalid HTML file. The vulnerability cause denial of service of remote process. OVAL definition* KLCERT-17-001_OVAL
Analysis Summary
# Vulnerability: Sentinel LDK RTE NULL Pointer Dereference in Language Pack Processing
## CVE Details
- **CVE ID**: CVE-2017-11498
- **CVSS Score**: 7.5 (High) - *Note: While the article text mentions 0.0, the provided vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H calculates to 7.5 High.*
- **CWE**: CWE-476 (NULL Pointer Dereference)
## Affected Systems
- **Products**: SafeNet/Gemalto Sentinel LDK (Runtime Environment), Sentinel HASP, and HASP SRM.
- **Versions**: Versions v2.10 through v7.50 (specifically `hasplms.exe` versions prior to 19.3.1.66130).
- **Configurations**: Systems running the Sentinel License Manager service, typically listening on port 1947.
## Vulnerability Description
The vulnerability exists within the way the Sentinel LDK Runtime Environment (RTE) processes language packs. Language packs are provided as ZIP files containing HTML files used for the localized user interface. If a language pack contains specifically crafted, invalid HTML files, the `hasplms.exe` process fails to handle the data correctly, leading to a NULL pointer access (dereference). This results in an immediate crash of the remote process.
## Exploitation
- **Status**: Unknown (Publicly disclosed since 2017; PoC existence is implied by the nature of the discovery but not explicitly linked).
- **Complexity**: Low
- **Attack Vector**: Network (Remote)
## Impact
- **Confidentiality**: None
- **Integrity**: None
- **Availability**: High (Complete Denial of Service of the License Manager process).
## Remediation
### Patches
- **Sentinel LDK RTE v7.55**: Users should update to version 7.55 or later.
- **Component Version**: Ensure `hasplms.exe` is version 19.3.1.66130 or higher.
- **Download**: Updates are available via the Sentinel Customer Downloads site: hxxps[://]sentinelcustomer[.]gemalto[.]com/sentineldownloads/
### Workarounds
- No specific software workarounds provided; however, restricting access to the administrative port (1947) to authorized users only can reduce the attack surface.
## Detection
- **Indicators of Compromise**: Unexpected crashing or restarting of the `hasplms.exe` service.
- **Detection Methods**:
- **Network Monitoring**: Implement monitoring to detect suspicious traffic directed at remote port 1947.
- **OVAL Scanning**: Utilize the provided OVAL definition: `KLCERT-17-001_OVAL`.
- **File Monitoring**: Monitor for the execution or upload of suspicious ZIP/language pack files to the Sentinel LDK directories.
## References
- Kaspersky ICS CERT Advisory: hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2017/07/28/klcert-17-001-sentinel-ldk-rte-language-pack-with-invalid-html-files-leads-to-denial-of-service/
- NVD CVE-2017-11498: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2017-11498
- OVAL Definition: hxxps[://]ics-cert[.]kaspersky[.]com/wp-content/uploads/sites/27/2017/11/KLCERT-17-001_OVAL[.]xml