Full Report
Remote manipulations with language pack updater lead to NTLM-relay attack for system user in Gemalto’s HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55.
Analysis Summary
# Vulnerability: Remote NTLM-Relay via Language Pack Updater in Sentinel LDK
## CVE Details
- **CVE ID:** CVE-2017-12819
- **CVSS Score:** 7.3 (High) - *Note: While the article text mentions 0.0, the provided vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and NVD ratings for this CVE equate to High severity.*
- **CWE:** CWE-287 (Improper Authentication) / CWE-294 (Authentication Bypass by Capture-repay)
## Affected Systems
- **Products:** Gemalto HASP SRM, Sentinel HASP, and Sentinel LDK.
- **Versions:** All versions prior to Sentinel LDK RTE (Runtime Environment) version 7.55/7.60.
- **Configurations:** Systems running the Sentinel License Manager service which listens on port 1947.
## Vulnerability Description
The vulnerability exists within the language pack updater component of the Sentinel LDK Runtime Environment. A remote, unauthenticated attacker can manipulate the update process to trigger a connection from the "SYSTEM" user account of the targeted machine to an attacker-controlled SMB share.
Because the service attempts to authenticate against the rogue share, the attacker can capture the NTLM hash of the SYSTEM account or perform an NTLM-relay attack to gain unauthorized access to other network resources or escalate privileges on the local system.
## Exploitation
- **Status:** Unknown (PoC likely exists conceptually; no widespread "in the wild" exploitation reports in the provided text).
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** Low/Medium (NTLM hash exposure).
- **Integrity:** Low/Medium (Depending on successful relay/impersonation).
- **Availability:** Low/Medium (Potential for service disruption).
## Remediation
### Patches
- **Sentinel LDK RTE v7.60 or higher:** Users are advised to upgrade to the latest version of the Runtime Environment available at the Sentinel Customer portal.
### Workarounds
- **Port Filtering:** Block or restrict access to TCP/UDP port 1947 at the network perimeter and on local host firewalls to trusted IP addresses only.
- **SMB Outbound Restrictions:** Restrict outbound SMB (Port 445) traffic from critical servers to unauthorized external or internal IP addresses to prevent NTLM hash leakage.
## Detection
- **Network Monitoring:** Monitor for suspicious traffic on **TCP port 1947**.
- **File Integrity:** Monitor for suspicious file executions or unexpected writes to the language pack directories of the Sentinel installation.
- **Event Logs:** Audit Windows logs for outbound NTLM authentication attempts originating from the "SYSTEM" user to unknown remote IP addresses.
## References
- **Vendor Advisory:** hxxps[://]sentinelcustomer[.]gemalto[.]com/sentineldownloads/
- **Original Advisory:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2017/10/02/klcert-17-005-sentinel-ldk-rte-remote-manipulations-with-language-pack-updater-lead-to-ntlm-relay-attack-for-system-user/
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2017-12819