ICS Summary for Week of February 2nd

By Nathaniel Weeks on February 2, 2018

USB token
Source: SecurityWeek

Gemalto Licensing Tool Vulnerability
It has come to light this week that vulnerabilities have been found in the Gemalto Sentinel LDK licensing solution, which is advertised as an “out-of-the-box Software Protection, Licensing,and Entitlement Management System” by Gemalto. The product uses a USB token to provide license control for software. Kaspersky Lab ICS CERT found the vulnerability while doing penetration testing. The vulnerable service is hasplms.exe, which is widely used in Industrial Control Systems (ICSs) and IT systems. This service in an attempt to provide convenience, installs drivers and an exception in Windows Firewall gets added for port 1947. After doing so, the service has enabled remote access.

ICS-CERT and Siemens have both warned that there are more than a dozen versions of SIMATIC WinCC, an HMI system from Siemens, were affected by the Gemalto vulnerabilities.

The Vulnerabilities in More Detail
Kaspersky Lab identified the service and attempted to analyze the service and its protocols in more detail. The Gemalto tool took steps to prevent this by using a proprietary binary protocol based on HTTP. The researchers found other security measures in place and as a result decided to use fuzzing as a primary method of inspecting the service’s behavior. They discovered that the localization function was used to import language packs. It consists of two files, one of which takes in parameters that are not completely sanitized. Despite the precautions that the developers had taken, it was discovered that a simple buffer overflow allows for the execution of arbitrary code on the remote system.

This discovery allows an attacker to execute malicious code with system privileges, collect NTLM hashes, and carry out denial of service (DoS) attacks.

Recommended Actions and Significance
As mentioned, the software uses port 1947. As a first measure, if possible, close this port. If the service is needed, update the software to the newest version which has addressed the vulnerability. The current version as of this writing is 7.6.
Although the latest patch has addressed the vulnerability, it is possible that some systems may not be patched immediately and remain vulnerable. The exploit is relatively simple and can give an attacker a “silver bullet”, to use Kaskperky’s words, to critical infrastructure. The possibilities include remote code execution, DoS attacks and the acquisition of NTLM hashes. There have been several vulnerabilities with the system over the last few years and Kaspersky has shown some dissatisfaction with the response and feedback from several software developers in regard to the transparency of these issues. If there is continued use of this system, it is recommended that administrators stay vigilant and stay informed.

After SecurityWeek’s write-up on the vulnerability, Gemalto responded and had this to say:
“In early 2017 Kaspersky Labs notified Gemalto of vulnerabilities in our Sentinel LDK solution. Gemalto analyzed the issues identified by Kaspersky and based on our assessment and the relative potential threat levels we released updated versions of Sentinel LDK in May and July 2017. Gemalto and Kaspersky both confirmed that the vulnerabilities were rectified and recommend that our customers upgrade to Sentinel LDK 7.6 or later.

After Gemalto released these updates we communicated to our customers through our standard communications channels the need to upgrade to the updated versions of Sentinel LDK to avoid these vulnerabilities. However, it was recently brought to our attention by Kaspersky that not all of our customers are aware of the vulnerabilities and the need to upgrade to Sentinel LDK 7.6 or later. We would therefore like to remind our customers to update their software to the most recent version of our Sentinel LDK licensing solution.

We appreciate the collaboration with Kaspersky in bringing these issues to our attention. Based on the feedback from Kaspersky, we are evaluating our current customer communication mechanisms to enhance the efficacy of future security bulletins to ensure our customers receive the updates in a timely manner. Gemalto takes the security of our products and the protection of our customers and their software very seriously, and we are committed to continuing to provide our customers with the most secure and advanced solutions to meet their needs in an ever-changing dynamic market.”





CVE-2017-11496 – Remote Code Execution
CVE-2017-11497 – Remote Code Execution
CVE-2017-11498 – Denial of Service
CVE-2017-12818 – Denial of Service
CVE-2017-12819 – NTLM hash capturing
CVE-2017-12820 – Denial of Service
CVE-2017-12821 – Remote Code Execution
CVE-2017- 12822 – Remote manipulations with configuration files