Full Report
Remote enabling and disabling administrative interface opens new attack vectors on the remote system with Gemalto’s HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55.
Analysis Summary
# Vulnerability: Sentinel LDK RTE Remote Administrative Interface Manipulation
## CVE Details
- **CVE ID:** CVE-2017-12822
- **CVSS Score:** 9.1 (Critical)
* *Note: While the article text mentions "0.0", the provided CVSS v3.0 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L) calculates to 9.1. The severity is high due to potential Remote Code Execution.*
- **CWE:** Not specified in the source (Typically relates to CWE-285: Improper Authorization or CWE-420: Unauthenticated Administrative Interface).
## Affected Systems
- **Products:** Gemalto Gemalto HASP SRM, Sentinel HASP, and Sentinel LDK.
- **Versions:** Prior to Sentinel LDK RTE version 7.55 (Note: Vendor recommendation specifies upgrading to 7.60).
- **Configurations:** Systems running the Sentinel License Manager service exposed to the network.
## Vulnerability Description
A vulnerability exists in the Sentinel LDK Run-time Environment (RTE) that allows an unauthenticated remote user to enable or disable the administrative interface. This improper access control opens new attack vectors on the remote system, which could eventually be leveraged to achieve Remote Code Execution (RCE) by an unauthenticated attacker.
## Exploitation
- **Status:** Existence of exploit unknown (No publicly documented PoC in the source provided).
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Potential for RCE leading to full data access).
- **Integrity:** Low (Ability to modify administrative configurations).
- **Availability:** Low (Ability to disable interfaces or services).
## Remediation
### Patches
- **Update to Sentinel LDK RTE v7.60 or higher.** Security updates were released by the vendor on July 21, 2017.
- Patches are available at the Sentinel Customer Portal: hxxps[://]sentinelcustomer[.]gemalto[.]com/sentineldownloads/
### Workarounds
- Restrict network access to the port used by the License Manager (TCP/UDP 1947).
- Disable remote administration via local configuration if the update cannot be immediately applied.
## Detection
- **Indicators of Compromise:** Unusual configuration changes in the Sentinel HASP Admin Control Center.
- **Detection Methods and Tools:**
- Implement network monitoring to detect suspicious behavior or unauthorized traffic on **port 1947**.
- Monitor for suspicious file executions stemming from the Sentinel License Manager process (hasplms.exe).
## References
- **Vendor Advisory:** KLCERT-17-008
- **NVD:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2017-12822
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2017/10/02/klcert-17-008-sentinel-ldk-rte-remote-enabling-and-disabling-admin-interface/