Full Report
Malformed ASN1 streams in V2C and similar input files can be used to generate stack buffer overflows. The vulnerability causes an arbitrary code execution. OVAL definition* KLCERT-17-003_OVAL
Analysis Summary
# Vulnerability: Sentinel LDK RTE Stack Buffer Overflow via Malformed ASN1 Streams
## CVE Details
- **CVE ID:** CVE-2017-11496
- **CVSS Score:** 10.0 (Critical) - CVSS v3.0 Vector: `CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`
- **CWE:** CWE-121 (Stack-based Buffer Overflow)
## Affected Systems
- **Products:** HASP SRM, Sentinel HASP, and Sentinel LDK.
- **Versions:** All versions prior to Sentinel LDK RTE 7.55 (specifically `hasplms.exe` versions earlier than 19.3.1.66130).
- **Configurations:** Systems running the Run-time Environment (RTE) between versions 2.10 and 7.50.
## Vulnerability Description
The vulnerability exists within the way the Sentinel LDK Run-time Environment processes ASN1 streams. When a malformed ASN1 stream is provided via V2C (Vendor-to-Customer) or similar input files, the application fails to properly validate the input size, leading to a stack-based buffer overflow. Because this processing occurs within the `hasplms.exe` service, a successful exploit allows for arbitrary code execution with high privileges.
## Exploitation
- **Status:** Unknown (No public PoC cited in the advisory, but the flaw is well-documented).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to system data)
- **Integrity:** High (Ability to modify system files and configurations)
- **Availability:** High (Potential for system crashes or complete takeover)
## Remediation
### Patches
- **Sentinel LDK RTE v7.55:** Released May 25, 2017. Users should ensure `hasplms.exe` is version 19.3.1.66130 or higher.
- Patches are available via the Sentinel Downloads site: hxxps[://]sentinelcustomer[.]gemalto[.]com/sentineldownloads/
### Workarounds
- No specific software workarounds provided; immediate patching is the recommended course of action.
## Detection
- **Indicators of Compromise:** Monitor for crashes or unexpected restarts of the `hasplms.exe` service.
- **Detection Methods:**
- **Network Monitoring:** Implement inspection for suspicious or malformed traffic on remote **port 1947** (the default port for Sentinel license management).
- **Endpoint Monitoring:** Monitor for suspicious file executions originating from the Sentinel RTE service process.
- **OVAL Scanning:** Utilize the OVAL definition `KLCERT-17-003_OVAL` for automated vulnerability assessment.
## References
- **Vendor Advisory:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2017/07/28/klcert-17-003-sentinel-ldk-rte-malformed-asn1-streams-in-v2c-files-lead-to-remote-code-execution/
- **NVD Detail:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2017-11496
- **OVAL Definition:** hxxps[://]ics-cert[.]kaspersky[.]com/wp-content/uploads/sites/27/2017/11/KLCERT-17-003_OVAL[.]xml