Full Report
Memory corruption in Gemalto’s HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55 might cause remote code execution.
Analysis Summary
# Vulnerability: Gemalto Sentinel LDK RTE Memory Corruption
## CVE Details
- **CVE ID:** CVE-2017-12821
- **CVSS Score:** 9.8 (Critical) - *Note: The CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H calculates to 9.8, despite the text's "0.0" placeholder.*
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) / Memory Corruption
## Affected Systems
- **Products:** Gemalto HASP SRM, Sentinel HASP, and Sentinel LDK.
- **Versions:** All versions prior to Sentinel LDK RTE (Run-time Environment) version 7.55/7.60.
- **Configurations:** Systems running the HASP License Manager service, which typically listens on network ports for license verification.
## Vulnerability Description
A memory corruption vulnerability exists in the way the Sentinel LDK RTE processes specially crafted input. The flaw allows for memory to be overwritten, which can be leveraged by an attacker to redirect execution flow. Due to the nature of the corruption and the lack of required authentication, this can result in the execution of arbitrary code in the context of the service, which often runs with elevated privileges (SYSTEM/root).
## Exploitation
- **Status:** Existence of public exploit is unknown (as of advisory date).
- **Complexity:** Low
- **Attack Vector:** Network (Remote) - No user interaction or authentication is required.
## Impact
- **Confidentiality:** High (Full data access possible via RCE)
- **Integrity:** High (Modification of system files and logic)
- **Availability:** High (Potential for service crashes or full system takeover)
## Remediation
### Patches
- **Sentinel LDK RTE v7.60 or higher:** Users are advised to update their Run-time Environment to at least version 7.60.
- Patches can be acquired via the Sentinel Downloads site: hxxps[://]sentinelcustomer[.]gemalto[.]com/sentineldownloads/
### Workarounds
- No specific software workarounds were provided; however, standard network hardening (see Detection) is recommended if immediate patching is not possible.
## Detection
- **Network Monitoring:** Monitor and inspect traffic on remote port **1947** (the default port for the Sentinel License Manager) for suspicious or malformed packets.
- **Endpoint Monitoring:** Monitor for suspicious file executions or unexpected child processes originating from the Sentinel/HASP service process.
- **Indicators of Compromise:** Unusual spikes in traffic to port 1947 or service crashes followed by unauthorized administrative activity.
## References
- Kaspersky ICS CERT Advisory: hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2017/10/02/klcert-17-007-sentinel-ldk-rte-memory-corruption-might-cause-remote-code-execution/
- NVD CVE-2017-12821: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2017-12821