A variety of serious vulnerabilities have been identified in popular license management software used in corporate and industrial control system (ICS) environments to activate software on PCs and servers.
According to Kaspersky Lab ICS CERT researchers, 14 vulnerabilities in the Hardware Against Software Piracy (HASP) license management system mean that license management USB tokens can be used to open a hidden remote-access channel for cyber-attackers.
The flaws include multiple denial-of-service (DoS) vulnerabilities and several remote code execution issues. These are automatically exploited not with user rights but with the most privileged system rights, providing attackers with an opportunity to execute any arbitrary code they wish.
“The USB-tokens in question are widely used in different organizations to serve the purpose of convenient software license activation,” researchers explained in their analysis. “In normal use case scenarios, a company’s system administrator would need to approach the computer with the software that needs to be activated and insert the token. It will then confirm that the software of interest is legitimate (not pirated) and would activate it.”
The problem is, upon installation, the software adds port 1947 of the computer to the list of exclusions of the Windows Firewall with no proper user notification, which makes it vulnerable to a remote attack.
“An attacker would only need to scan the targeted network for open port 1947 in order to identify any remotely available computers,” the researchers said. “More importantly, the port remains open after the token has been detached, which is why even in a patched and protected corporate environment, an attacker would only need to install software using the HASP solution or attach the token to a PC once (even a locked one) in order to make it available for remote attacks.”
The number of systems affected by the vulnerability is uncertain, but given the popularity of the software, it could affect hundreds of thousands of users worldwide.
“Given how popular this license management system is, the possible scale of the consequences of these vulnerabilities going unpatched is very large,” said Vladimir Dashchenko, head of vulnerability research group, Kaspersky Lab ICS CERT. “Since these tokens are not only used in regular corporate environments but also in critical facilities with strict remote access rules, the vulnerabilities we discovered could be putting thousands of critical networks in danger.”
Upon discovery, Kaspersky Lab reported these vulnerabilities to the affected software vendors, which subsequently released security patches. Organizations should install the latest (secure) version of the driver as soon as possible or contact the vendor for instructions on updating the driver.
Additionally, as long as it does not interfere with business processes, administrators should close port 1947, at least on the external firewall on the network perimeter.