Executive Summary
Summary | |
---|---|
Title | InstallShield / Macrovision / Acresso FLEXnet Connect insecurely retrieves and executes scripts |
Informations | |||
---|---|---|---|
Name | VU#837092 | First vendor Publication | 2008-09-16 |
Vendor | VU-CERT | Last vendor Modification | 2008-11-28 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#837092InstallShield / Macrovision / Acresso FLEXnet Connect insecurely retrieves and executes scriptsOverviewAcresso FLEXnet Connect executes scripts that are insecurely retrieved from a remote web server, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.I. DescriptionAcresso FLEXnet Connect is a software package that allows vendors to provide updates to applications. FLEXnet Connect-enabled software has the ability to
The FLEXnet Connect client software communicates with centralized servers to check for updates and other product information on a periodic basis. Updates can also be triggered by using Internet Explorer to visit a web page that uses the FLEXnet Connect ActiveX control, which is provided by agent.exe. When connecting to the server, the client can receive special instructions (rules) to assist in evaluating whether an update is relevant. These instructions are provided by a GetRules.asp page on a web server. These rules are presented in a scripting language, such as VBScript. FLEXnet Connect retrieves rules insecurely in that it uses unsigned and unencrypted communication using the HTTP protocol, which can allow an attacker to inject code that will be executed on the client system. This can happen in a number of ways, including
II. ImpactBy modifying the rule script that is sent to a FLEXnet Connect client, a remote unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.III. SolutionApply an updateThis issue is addressed with the FLEXnet Connect 11.0.1 client, which comes with agent.exe version 11.1.100.17104. This version of FLEXnet Connect includes the ability to verify certificates that are provided by the FLEXnet Connect server. A FLEXnet Connect server that uses signed communication will add an X-FNC-Sig HTTP header to outgoing messages. This signature is designed to prevent the server response from being successfully modified by an attacker. The signature checking is also designed to ensure that the FLEXnet Connect client is connecting to an authentic FLEXnet Connect server, much in the same way that HTTPS helps to ensure the identity of a web site. Note that the originally-released version of the FLEXnet Connect 11.0.1 client, which came with agent.exe version 11.1.100.16604, did not completely address this vulnerability.
Disable the DWUpdateService ActiveX control in Internet Explorer The vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSIDs:
{5B7524C8-2446-40E9-9474-94A779DBA224} {8D9BB053-FEE5-4411-B6F5-F1E37DDC3106} {EE4E49B0-38EC-4C23-A7A6-2E190B5E3418} {FFF2D28F-E4EE-44D9-8104-8E71556757F6}
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{551E5190-19C7-4626-9D54-FB20355E6467}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{5B7524C8-2446-40E9-9474-94A779DBA224}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{8D9BB053-FEE5-4411-B6F5-F1E37DDC3106}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{EE4E49B0-38EC-4C23-A7A6-2E190B5E3418}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{FFF2D28F-E4EE-44D9-8104-8E71556757F6}] "Compatibility Flags"=dword:00000400 Restrict access to the FLEXnet Conect client components The vulnerable update components can be disabled by restricting access to the ISSCH.EXE and ISUSPM.EXE components on Microsoft Windows Systems. These executable files are for the InstallShield Update Service Scheduler and the Macrovision FLEXnet Connect Update Manager, respectively. These programs are used to periodically check for software updates using FLEXnet Connect. Users may also wish to rename the "Program FilesCommon FilesInstallShieldUpdateService" or related UpdateManager folders of other products to prevent automated execution of these programs until a fix is provided. Note that this may interfere with a product's ability to retrieve updates, including security fixes. Disable ActiveX Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document. Systems Affected
Referenceshttp://www.cert.org/tech_tips/securing_browser/#Internet_Explorer Thanks to Brian Dowling of Simplicity Communications for reporting this vulnerability. This document was written by Will Dormann.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/837092 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 | |
Application | 1 |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
48203 | FlexNET Connect Acresso InstallShield Update Agent ActiveX Arbitrary Code Exe... |