Full Report
Language packs containing malformed filenames lead to a stack buffer overflow. The vulnerability causes an arbitrary code execution. OVAL definition* KLCERT-17-002_OVAL
Analysis Summary
# Vulnerability: Sentinel LDK RTE Stack Buffer Overflow via Malformed Language Packs
## CVE Details
- **CVE ID:** CVE-2017-11497
- **CVSS Score:** 10.0 (Critical) - *Note: Based on the provided vector [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H]*
- **CWE:** CWE-121 (Stack-based Buffer Overflow)
## Affected Systems
- **Products:** Safeguard/Gemalto Sentinel HASP, Sentinel LDK, and HASP SRM.
- **Versions:** Sentinel LDK RTE versions 2.10 through 7.50 (specifically `hasplms.exe` versions prior to 19.3.1.66130).
- **Configurations:** Systems running the Sentinel Run-time Environment (RTE) listening on network ports.
## Vulnerability Description
The vulnerability exists within the Sentinel LDK Run-time Environment (RTE) service (`hasplms.exe`). The software fails to properly validate the filenames within language packs. Processing a malformed filename triggers a stack-based buffer overflow. Because this service typically runs with high privileges and handles remote requests, an attacker can leverage this flaw to overwrite the stack and redirect the flow of execution.
## Exploitation
- **Status:** Unknown (No public PoC cited in the article, but rated as a high-risk remote execution flaw).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to system data)
- **Integrity:** High (Ability to modify system files and settings)
- **Availability:** High (Potential for system crashes or total takeover)
## Remediation
### Patches
- **Update to Sentinel LDK RTE v7.55** or later. This update was released May 25, 2017.
- Ensure `hasplms.exe` is version **19.3.1.66130** or higher.
### Workarounds
- No specific software workarounds provided; however, standard network hardening is recommended (see Detection/Mitigation).
## Detection
- **Indicators of Compromise:** Unusual crashes of the `hasplms.exe` process or unexpected files appearing in language pack directories.
- **Detection methods and tools:**
- **Network Monitoring:** Implement monitoring to detect and inspect suspicious traffic on **TCP/UDP Port 1947**.
- **OVAL Definition:** Use the provided OVAL definition [KLCERT-17-002_OVAL] for automated vulnerability scanning.
- **Endpoint Monitoring:** Monitor for suspicious file executions originating from the Sentinel service.
## References
- Vendor Advisory / Downloads: hxxps[://]sentinelcustomer[.]gemalto[.]com/sentineldownloads/
- NVD CVE Entry: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2017-11497
- Kaspersky ICS CERT Advisory: hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2017/07/28/klcert-17-002-sentinel-ldk-rte-language-packs-containing-malformed-filenames-lead-to-remote-code-execution/
- OVAL Definition: hxxps[://]ics-cert[.]kaspersky[.]com/wp-content/uploads/sites/27/2017/11/KLCERT-17-002_OVAL[.]xml