__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Unix FLEXlm Vulnerabilities
September 20, 1996 17:00 GMT Number G-47
______________________________________________________________________________
PROBLEM: Many vendors have misconfigured the FLEXlm system to run as the
root user, and some versions of the FLEXlm license management
daemon lmgrd contain a security vulnerability.
PLATFORM: The insecure configuration of vendor product installation is a
vulnerability on all versions of FLEXlm running on any Unix
system. The vulnerability in the FLEXlm license management
daemon exists in all versions from version 4.0 up to, and
including, version 5.0a.
DAMAGE: Users can create arbitrary files on the system and execute
arbitrary programs using the privileges of the user running
the FLEXlm daemons.
SOLUTION: Apply the workarounds and/or patches listed in the bulletin
below.
______________________________________________________________________________
VULNERABILITY This vulnerability takes advantage of an individual application
ASSESMENT: vulnerability, so it is fairly limited in scope. But, CIAC
advices that users of FLEXlm check their systems carefully for
proper configuration/patching.
______________________________________________________________________________
[Begin Auscert Bulletin]
===========================================================================
AA-96.03 AUSCERT Advisory
Multi-platform Unix FLEXlm Vulnerabilities
19 September 1996
----------------------------------------------------------------------------
AUSCERT has received information concerning several problems involving
the use of the FLEXlm licence management package on Unix systems. FLEXlm
is used by many vendors to licence their products, and is supplied to them
by GLOBEtrotter Software (previously, it was supplied by Highland
Software). Many vendors have misconfigured the FLEXlm system to run as
the root user, and some versions of the FLEXlm licence management daemon
lmgrd contain a security vulnerability. These problems may allow local
users to create arbitrary files on the system and execute arbitrary
programs using the privileges of the user running the FLEXlm daemons.
System administrators are advised that the FLEXlm package may be installed
as part of the installation procedures of other vendor and third-party
products. Due to the way that the licence management software is often
installed, it may be unnecessarily running as root making it possible to
gain unauthorised privileged access.
This means that the FLEXlm package may be installed on systems and running
as the root user without the knowledge of the system administrator.
Note that the vulnerabilities described here do not affect the security of
the FLEXlm licences and licencing restriction. The vulnerabilities allow
users to compromise security of the Operating System.
----------------------------------------------------------------------------
1. Description
The FLEXlm licence management package is used by many vendors to licence
their products. Many vendors have misconfigured the FLEXlm system to run
as the root user which opens a number of computer security vulnerabilities
which can be used to compromise the Unix operating system. This is
described in paragraph (a).
In addition, some versions of the FLEXlm licence management daemon lmgrd
contain a security vulnerability. This is described in paragraph (b).
(a) Insecure configuration of vendor product installation
Due to some confusion in the documentation supplied to vendors using
the FLEXlm package, the FLEXlm licence management software often runs
with root privileges. This often occurs due to the FLEXlm daemons
being started by the system initialisation scripts. If the daemons
are running with root privileges they may be used by local users to
gain unauthorised root privileges. This potentially affects all
versions of the FLEXlm licence management daemon.
GLOBEtrotter Software advise that the FLEXlm package does not require
root privileges to operate correctly. FLEXlm daemons should be started
by a non-privileged user with a restrictive umask setting, limiting
the associated configuration vulnerabilities.
(b) Security vulnerability in FLEXlm licence management daemon
A vulnerability has been found in the FLEXlm licence management daemon
which may allow local users unauthorised access to the account running
the FLEXlm licence management daemon.
This vulnerability exists in all versions of the FLEXlm licence
management daemon from version 4.0 up to, and including, version 5.0a.
A new version of the daemon has been made available by GLOBEtrotter
Software that fixes this vulnerability. See Section 3.4.
Versions earlier than version 4.0 do not have this vulnerability.
GLOBEtrotter Software advise that all existing versions of the lmgrd
daemon may be updated to the most recent version (version 5.0b) without
change in functionality. This version of lmgrd will work successfully
with all existing FLEXlm-licensed products. See Section 3.4.
1.1 Additional Description Information
This section contains additional information on locating any FLEXlm
components, determining the configuration of those components, and
identifying information required for the Workarounds/Solutions in
Section 3.
(a) Vendor configurations may be customised
Vendors using the FLEXlm licence management package to licence their
products have the ability to customise FLEXlm to meet their own needs.
This may include names, locations, and content of many files, in
addition to how the software is installed and used. Therefore, care
is required in locating any vulnerable software or configurations,
and implementing workaround solutions.
(b) Determining if FLEXlm is installed
The FLEXlm licence management package is often installed as part of
the installation procedures of other vendor and third-party products.
The system administrator may not be aware that FLEXlm has been
installed.
The following command run as root should determine if the FLEXlm
licence management software is installed.
# find /etc -type f -exec egrep -il 'lmgrd|flexlm|licdir' {} \;
Any files listed should be investigated further to see if they relate
to the FLEXlm licence management product.
In particular, it is important to locate the FLEXlm licence management
initialisation files (the files where FLEXlm licence management daemons
are started from) as these will become important when discussing the
Workarounds/Solutions in Section 3.
(c) Determining the version of the FLEXlm licence management daemon(s)
The version of the FLEXlm licence management daemon can be determined
by examining the strings(1) output of the binary daemon and searching
for the strings "Copyright" and "FLEXlm". For example:
# strings /usr/local/flexlm/licences/lmgrd | grep -i copyright | grep -i
flexlm
Note that more than one version of the FLEXlm licence management
daemon may be executing, depending on what products are installed.
The version number is also written to stdout (which may have been
redirected to a log file) when the licence management daemon is
started.
(d) Identifying the user running the FLEXlm licence management daemons
The licence management daemon is often called "lmgrd" or some
derivative containing the string "lmgrd" (for example, lmgrd.abc).
On some products, the name of the licence management daemon may have
been changed to an arbitrary name (for example, lm_ABC4.ld). It should
be possible to locate most running versions of the licence management
daemon by examining the files identified in Section 1.1(b) or by using
one of the following commands (Note this may locate other processes
not related to FLEXlm, and may not locate all FLEXlm related
processes):
% ps -auxww | grep -i lm | grep -v grep # BSD systems
% ps -ef | grep -i lm | grep -v grep # SYS V systems
If any licence management daemon is running as the root user, then a
number of vulnerabilities exist as the daemon was not designed to be
run with root privileges.
Note that more than one FLEXlm licence management daemon may be running
depending on what products have been installed. It is important to
check for all running versions of the daemon.
(e) Locating the licence management files
Each licence management daemon has an associated licence file. The
licence file is usually specified by the "-c" option on the command
line, the LM_LICENSE_FILE environment variable, or is found in the
default location /usr/local/flexlm/licenses/license.dat. The licence
file describes which products the daemon is administering and the
location of associated daemons. The licence files become important
when discussing the Workarounds/Solutions in Section 3.
2. Impact
Any versions of the FLEXlm licence management daemons executing using
a system account (for example, bin, daemon, sys) or a privileged
account (such as root) may allow local users to create or overwrite
arbitrary files on the system. This may be leveraged to gain root
access.
FLEXlm licence management daemons containing the security vulnerability
(indicated in Section 1(b)) may allow local users unauthorised access
to the account running the daemons.
Information on gaining unauthorised access to Unix systems using the
FLEXlm Licence Management software has been widely distributed.
3. Workarounds/Solution
Note that all four (4) sections should be reviewed and implemented if
appropriate. Each section addresses a different problem.
After the installation of ANY product or upgrade, the system must be
checked to verify if a FLEXlm licence management daemon has been added.
If a FLEXlm licence management daemon has been added, then Sections 3.1
to 3.4 of this Advisory should be applied to it to ensure a more secure
configuration.
3.1 Run as a non-privileged user
GLOBEtrotter Software advise that the FLEXlm licence management
software does not require root privileges to operate. The FLEXlm
licence management daemon should be run by a non-privileged user.
If the licence management daemon is executing with root or some other
system account permissions (such as bin, sys, daemon or any other
system account), it must be modified to use a non-privileged user.
If the licence management daemon is already executing as a
non-privileged user, then the remainder of Section 3.1 may be skipped.
It is recommended that a new user "flexlm" be created for the specific
purpose of running the FLEXlm licence management daemon. In this
case, Steps 3.1.1 through 3.1.5 should be followed.
3.1.1 Create a non-privileged account for use by FLEXlm. For example:
flexlm:*:2000:250:FLEXlm Licence Manager:/nonexistent:/bin/sh
Note the account must have the following properties:
. password set to '*' as interactive access is not required
. a unique userid (the 2000 is only an example)
. a unique groupid (the 250 is only an example)
. a shell of /bin/sh
The following instructions refer to this account as the "flexlm
user". If the FLEXlm daemons were already running as a
non-privileged user, then this will be the "flexlm user" below.
3.1.2 Locate the licence file(s). These may be identified in one of
three ways:
. specified by the "-c" option to the FLEXlm licence daemons
. specified by the LM_LICENSE_FILE environment variable
. located in the default location:
/usr/local/flexlm/licenses/license.dat
Note that there is always a single licence file for each licence
daemon, but there may be more than one licence daemon running
on a system.
3.1.3 The licence management daemons must use a non-privileged TCP
port for communication. The port number chosen may be arbitrary,
but all clients must be configured to use the same port.
The port is specified in the licence data file on the SERVER
line. It is the fourth (4th) field on this line. For example:
SERVER xyzzy 123456789 1234
the port number is 1234.
3.1.4 Locate where the FLEXlm licence management daemon is started.
This is often in the system startup scripts, but may not
exclusively be so. An example startup line is:
$licdir/$lmgrd -c $licdir/$licfile >> /tmp/license_log 2>&1 &
Logging information is written to stdout by the daemons, and is
often redirected to a log file when the daemon is started.
3.1.5 Modify the line in the FLEXlm startup files that starts the
licence management daemon to look similar to the following:
su flexlm -c "{original command line in startup file}"
where flexlm is the user created in Step 3.1.1. Note that the
logging information that is written to stdout from the daemon
should not be written to files in /tmp or other world writable
directories, but to a specially created directory that the flexlm
user can write log information to.
For example:
su flexlm -c "$licdir/$lmgrd -c ... >> /var/log/flexlm/license_log 2>&1 &"
3.2 File Ownership
Regardless of which user is executing the FLEXlm licence management
software, additional security vulnerabilities may allow a user to gain
unauthorised access to the account running the daemon or engage in
denial of service attacks by deleting files.
These vulnerabilities may be limited if you ensure that no files on
the system are owned or are writable by the flexlm user. The possible
exception to this requirement is log files (see Section 3.1.4) and
temporary files. All licence and FLEXlm executable files must be
readable or executable by the flexlm user. Additional daemons required
by the FLEXlm licence management daemon are specified in the licence
data files (located in Section 3.1.2) on the DAEMON line.
These file ownership and mode changes should be done for all versions
of FLEXlm.
Note that some vendors may have installed the FLEXlm software owned
by the flexlm user. This configuration should be modified as detailed
in this section.
3.3 umask Setting
The FLEXlm licence management daemons inherit the umask setting from
the environment in which they are started. When FLEXlm is started as
part of the system initialisation procedures, the umask is inherited
from init(1M) and is usually set to 000. This means that FLEXlm will
open files which are world and group writable. A more appropriate
umask setting is 022.
This should be done for all versions of FLEXlm.
The umask can be set in the FLEXlm startup files which were identified
in Section 3.1.4. This should be the first command executed in the
startup script for FLEXlm licence management daemons.
For example:
#!/bin/sh
umask 022 # add this line here
<rest of the FLEXlm startup file>
3.4 Vendor Patch for Vulnerability
GLOBEtrotter Software have made a new version of the FLEXlm licence
management daemon (version 5.0b) available which rectifies the reported
vulnerability in Section 1(b).
All versions of the FLEXlm licence management daemon from version 4.0
up to, and including, version 5.0a should be upgraded immediately.
GLOBEtrotter Software advise that all versions of the FLEXlm lmgrd
may be upgraded to the latest version (version 5.0b) without loss of
existing functionality. This version of lmgrd will work successfully
with all existing FLEXlm-licensed products.
Note that there may be more than one copy of FLEXlm's lmgrd on your
system that requires upgrading, depending on what products are
installed. The existing licence management daemon(s) should be
replaced with the new version, but the location and file name of the
version you are replacing should be preserved.
Version 5.0b of the FLEXlm licence management daemon may be found at
http://www.globetrotter.com/lmgrd.htm
MD5 (alpha_u1/lmgrd) = 40ec89f3c9cfcdecfaa442d59db179e1
MD5 (decs_u4/lmgrd) = 0cd60373d0f0bef8f7a2de290306490b
MD5 (hal_u5/lmgrd) = 1e678c62d6346480c6ce097df1a6c708
MD5 (hp300_u8/lmgrd) = ffbdf1c581fd383ca01ba239230f2964
MD5 (hp700_u8/lmgrd) = f972b3a449cd57e8d472a0394613e076
MD5 (i86_d4/lmgrd) = 37256e1abe50116c504b6d2f83a23c55
MD5 (i86_l1/lmgrd) = f1bbfdf13d1145fb3b18afb063b93ac3
MD5 (i86_x5/lmgrd) = e6623c2124205512fc9ed21bc9aee061
MD5 (ncr_u2/lmgrd) = 0919251ca4321dfaa166e008f8d34899
MD5 (nec_u2/lmgrd) = 7e1ae2664219f59e0c26b1a1d97838df
MD5 (ppc_u4/lmgrd) = d4d038cd5bdfa4c44d2523cf11461d63
MD5 (ppc_x5/lmgrd) = f1aae597d4052734b4e01cac76407cf6
MD5 (rm400_u5/lmgrd) = cb2d48efa809cbb3457f835f2db47926
MD5 (rs6000_u3/lmgrd) = fadf0fc424f1fcc11cd04fe8678b79cf
MD5 (sco_u3/lmgrd) = e288917fb8fac8fdc8f1f2a9d985eb50
MD5 (sgi_u4/lmgrd) = 0637f1dae3adb5d7a3597b6d486e18af
MD5 (sgi_u5/lmgrd) = 31f1f1d1b02917f4c9c062c33e4636a4
MD5 (sgir8_u6/lmgrd) = ba0892403ef4bebf38ad22831d3d8183
MD5 (sony_u4/lmgrd) = 032b4521333e7583afd0f783f5555522
MD5 (sun4_u4/lmgrd) = f87130d077d4d1cc8469d9818a085d33
MD5 (sun4_u5/lmgrd) = 36a2930f3dcbe92155866e7a9864b8a5
A copy of these files will be available until 31-Oct-1996 from:
ftp://ftp.auscert.org.au/pub/mirrors/ftp.globetrotter.com/flexlm/unix/
4. Additional information
4.1 User Manual and Frequently Asked Questions
GLOBEtrotter Software have a user manual that describes the FLEXlm
Licence Management system which is available to all users. A FAQ
(Frequently Asked Questions) document containing useful information
is also available. These can be located at:
http://www.globetrotter.com/manual.htm
http://www.globetrotter.com/faq.htm
4.2 Additional Vendor Information
GLOBEtrotter Software have made available some additional information
concerning these security vulnerabilities. It can be accessed at:
http://www.globetrotter.com/auscert.htm
4.3 General misconfiguration description
The misconfiguration of the FLEXlm licence management daemon is a
generic problem where software that was not designed to be run with
root privileges automatically gains those privileges as a result of
being started by the system initialisation scripts. Only those
programs that require root privileges should be run as root.
Attention is drawn to the Unix Secure Programming Checklist which
addresses this issue, in addition to others. The checklist is
available from:
ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist
----------------------------------------------------------------------------
AUSCERT thanks Peter Marelas from The Fulcrum Consulting Group,
GLOBEtrotter Software, DFN-CERT, CERT/CC, and Sun Microsystems for their
advice and cooperation in this matter.
----------------------------------------------------------------------------
[End Auscert Bulletin]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Peter Marelas from The Fulcrum
Consulting Group, GLOBEtrotter Software, DFN-CERT, CERT/CC, Sun Microsystems
and AUSCERT for the information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 510-422-8193
FAX: +1 510-423-8002
STU-III: +1 510-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://ciac.llnl.gov/
Anonymous FTP: ciac.llnl.gov (128.115.19.53)
Modem access: +1 (510) 423-4753 (28.8K baud)
+1 (510) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.
Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
valid information for LastName FirstName and PhoneNumber when sending
E-mail to ciac-listproc@llnl.gov:
subscribe list-name LastName, FirstName PhoneNumber
e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36
You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body
containing the line: send first-contacts.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
G-37: Vulnerability in Adobe FrameMaker (fm_fls)
G-38: Linux Vulnerabilities in mount and umount Programs
G-39: Vulnerability in expreserve
G-40: SGI admin and user Program Vulnerabilities
G-41: Vulnerability in BASH Program
G-42: Vulnerability in WorkMan Program
G-43: Vulnerabilities in Sendmail
G-44: SCO Unix Vulnerability
G-45: Vulnerability in HP VUE
G-46: Vulnerabilities in Transarc DCE and DFS
RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)
Notes 07 - 3/29/95 A comprehensive review of SATAN
Notes 08 - 4/4/95 A Courtney update
Notes 09 - 4/24/95 More on the "Good Times" virus urban legend
Notes 10 - 6/16/95 PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
in S/Key, EBOLA Virus Hoax, and Caibua Virus
Notes 11 - 7/31/95 Virus Update, Hats Off to Administrators,
America On-Line Virus Scare, SPI 3.2.2 Released,
The Die_Hard Virus
Notes 12 - 9/12/95 Securely configuring Public Telnet Services, X
Windows, beta release of Merlin, Microsoft Word
Macro Viruses, Allegations of Inappropriate Data
Collection in Win95
Notes 96-01 - 3/18/96 Java and JavaScript Vulnerabilities, FIRST
Conference Announcement, Security and Web Search
Engines, Microsoft Word Macro Virus Update
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
