Workaround and best practices to mitigate risk for FlexNet Publisher security vulnerability CVE-2015-8277

THIS INFORMATION ONLY PERTAINS TO SOFTWARE VERSIONS IDL 8.5, ENVI 5.3 AND PRIOR Harris Geospatial Solutions was recently made aware of a security vulnerability in the Flexera FlexNet Publisher technology that is utilized for license management within the IDL & ENVI software products. We recognize the severity of this issue and are working diligently on a security patch for both our products and standalone license server installations that we plan to release to our customers as soon as possible. We are committed to making sure our customers can use the IDL & ENVI software in secure fashion so until this patch can be provided there are some steps that can be taken to work around and mitigate the risks posed by this security vulnerability that we want to share at this time. We greatly appreciate your business and encourage you to revisit this webpage which will be updated once a security patch has been released which provides a final resolution to this issue.

UPDATE March 22, 2016: A security patch addressing this security vulnerability issue has been made available for download from our web site. For details, please see the following Help article: IDL & ENVI License Server Security Patch

Overview

The license management of the IDL & ENVI software products is built with a third party software component called Flexera FlexNet Publisher. Recently, a buffer overflow security vulnerability was identified in Flexera's FlexNet Publisher technology, reported as Common Vulnerabilities and Exposures (CVE ID: CVE-2015-8277) and US CERT Vulnerability Note (VU#485744), on the following web postings:

• https://www.securifera.com/advisories/cve-2015-8277/
• http://www.kb.cert.org/vuls/id/485744

The CVSS base score for this vulnerability is 7.6.

Issue Addressed

This help article addresses the following issues for the IDL & ENVI software:

ENVI-70768: Security vulnerability in FlexNet 11.12.1.2 included with IDL & ENVI software

Affected Versions

The Flexera FlexNet Publisher software component that is impacted by the buffer overflow security vulnerability is utilized by the license manager software included with the following versions of the IDL & ENVI software (using FlexNet Publisher 11.12.1.2 or older):

•            IDL 8.5.1 and all older versions
•            ENVI 5.3 SP1 and all older versions
•            Exelis Products FlexLM License Server 8.5.1 and older versions

NOTE: This security vulnerability only applies to scenarios where a license manager server is utilized. All network floating (FL)type licenses and some node-locked (SN) type licenses use a license manager server. A license manager server is used when a Harris product license file certificate (license.dat file) includes lines that begin with the strings "SERVER" and "DAEMON", and end with a line beginning with "FEATURESET", for example:     SERVER machine1 012345678abcd 1700     DAEMON idl_lmgrd     INCREMENT envi ...     ...     FEATURESET idl_lmgrd ABCDEF0123456789

License Administrator Workaround and Best Practices toMitigate Risk Exposure, Until the Security Patch Can Be Applied

In scenarios where this security vulnerability is relevant, until a patch or patched installation can be applied, the following workaround and best practices may be used in order to the mitigate risk exposure caused by this issue.

Exposure of "lmgrd" or "idl_lmgrd"executable communication to the internet (or an untrusted network) is discouraged (and in some cases may be explicitly disallowed in your purchase agreement with Harris Corporation). Note that exposing either of these components to the internet raises the CVSS base score of this vulnerability to 9.0. If it is necessary to expose either of these components to the internet or untrusted network, then a partial workaround is to expose them to only a trusted network until they can be patched.

The following steps are recommended as License Administrator best practices to help protect against this and other security vulnerabilities:

•       Utilize the recommended security settings offered by the Operating System (OS) vendors that resist the buffer/stack overflow attacks. For example, the Data Execution Prevention (DEP) feature on Windows helps in this regard. Most OS updates also include security features that take advantage of both hardware and software based protection mechanisms against malicious code execution.
  
•       Launch lmgrd and vendor daemon executables using a least privileged security level
•       Limit access to only administrative users by launching lmgrd with the '-2 –p' command-line option unless you are using FlexNet Manager for Engineering Applications. Refer to the product documentation for limitations related to usage of this command-line option.
•       Do not use the default 27000-27009 TCP ports for lmgrd (this only inhibits a hacker who doesn’t use an intelligent port scanning tool)

See Also

• Help Article: "How do I determine the FlexNet version of the license manager server lmgrd and idl_lmgrd binary executables?"
• Help Article: "How to determine the product version of IDL, ENVI andExelis Products FlexLM License Server installed on a computer system"

Getting Help

If you need assistance updating your IDL or ENVI software installations with the security patch please visit our dedicated Request Technical Support webpage:

https://www.exelisvis.com/MyAccount/SupportRequests.aspx

Or send us an e-mail:

Europe: supporteu@exelisinc.com
North America: support@exelisinc.com
Other Regions: Please visit http://www.exelisvis.com/ContactUs.aspx

Reviewed by JU 3/14/2016, AO (3/14/2016)