Full Report
Kaspersky Lab ICS CERT has identified multiple vulnerabilities: denial of service (DOS), NTLM-relay attack, Stack buffer overflow, Remotely enabling web admin interface, Arbitrary memory read and possible remote code execution (RCE) in hasplms service that is a part of Gemalto’s HASP SRM, Sentinel HASP and Sentinel LDK products.
Analysis Summary
# Vulnerability: Multiple Flaws in Gemalto Sentinel HASP/LDK License Manager
## CVE Details
- **CVE ID:**
- CVE-2017-12818 (Stack Overflow)
- CVE-2017-12819 (NTLM Relay)
- CVE-2017-12820 (Arbitrary Memory Read)
- CVE-2017-12821 (Memory Corruption/RCE)
- CVE-2017-12822 (Remote Admin Interface Manipulation)
- **CVSS Score:** Not explicitly provided in the source, but the impacts are categorized up to Critical (Remote Code Execution).
- **CWE:** CWE-121 (Stack-based Buffer Overflow), CWE-125 (Out-of-bounds Read), CWE-287 (Improper Authentication).
## Affected Systems
- **Products:**
- Gemalto HASP SRM
- Sentinel HASP
- Sentinel LDK (License Development Kit)
- `hasplms` service/driver
- **Versions:** Sentinel LDK (RTE) Run-time Environment versions 2.10 through 7.50.
- **Configurations:** Systems utilizing USB license keys; the vulnerable driver may be automatically installed upon plugging in a hardware key. The `hasplms` service listens on port **1947/tcp** by default.
## Vulnerability Description
Kaspersky Lab ICS CERT identified multiple critical flaws in the `hasplms` license management service:
1. **Stack Overflow:** A flaw in the custom XML parser allows for remote Denial of Service (DoS).
2. **NTLM-Relay:** Manipulation of the language pack updater allows an attacker to capture or relay NTLM credentials for the system user.
3. **Arbitrary Memory Read:** Controlled memory pointers can be exploited to read sensitive data or crash the service.
4. **Memory Corruption:** A flaw that may facilitate Remote Code Execution (RCE) on the host system.
5. **Configuration Manipulation:** The web admin interface is enabled by default and, even if manually disabled, can be re-enabled remotely by an attacker.
## Exploitation
- **Status:** Reported by researchers and patched; no specific mention of "in the wild" exploitation in this report, but technical details suggest high exploitability.
- **Complexity:** Low to Medium (Some flaws can be triggered with no prior authentication).
- **Attack Vector:** Network (Remote). All vulnerabilities can be exploited over the network with or without the web admin interface being active.
## Impact
- **Confidentiality:** High (Memory read and NTLM credential theft).
- **Integrity:** High (Remote Code Execution and admin configuration changes).
- **Availability:** High (Remote Denial of Service).
## Remediation
### Patches
- **Update to Sentinel LDK RTE version 7.6** or later (released July 27, 2017).
- Downloads are available via the vendor's portal: `https[:]//sentinelcustomer[.]gemalto[.]com/sentineldownloads/`
### Workarounds
- Filter or block traffic to port **1947/tcp** at the network firewall level unless strictly required for license management.
- Disable the web administrative interface if not in use (though note CVE-2017-12822 allows remote re-enabling).
## Detection
- **Indicators of Compromise:** Unusual traffic on port 1947/tcp, unexpected changes to the License Manager configuration, or service crashes in `hasplms.exe`.
- **Detection methods:** Network security monitoring (NSM) for XML-based exploits targeting port 1947. Vulnerability scanners should check for Sentinel RTE versions below 7.6.
## References
- Kaspersky ICS CERT Advisory: `https[:]//ics-cert[.]kaspersky[.]com/publications/alerts/2017/10/03/several-more-vulnerabilities-found-and-closed-in-popular-license-manager/`
- KLCERT-17-004 through KLCERT-17-008: `https[:]//ics-cert[.]kaspersky[.]com/advisories/klcert-advisories/`