A significant number of industrial and corporate systems may be exposed to remote attacks due to the existence of more than a dozen vulnerabilities in a protection and licensing product from Gemalto.
Gemalto Sentinel LDK is a software licensing solution used by many organizations worldwide on both their enterprise and industrial control systems (ICS) networks. In addition to software components, the solution provides hardware-based protection, specifically a SafeNet Sentinel USB dongle that users connect to a PC or server when they want to activate a product.
Researchers at Kaspersky Lab discovered that when the token is attached to a device, the necessary drivers are installed – either downloaded by Windows or provided by third-party software – and the port 1947 is added to the list of exceptions in the Windows Firewall. The port remains open even after the USB dongle has been removed, allowing remote access to a system.
Experts discovered a total of 14 vulnerabilities in Sentinel components, including ones that allow denial-of-service (DoS) attacks, arbitrary code execution with system privileges, and capturing NTLM hashes. Since port 1947 allows access to the system, these flaws can be exploited by a remote attacker.
Kaspersky decided to analyze the product after the company’s ICS CERT team repeatedly encountered it during penetration testing assignments.
Malicious actors can scan the network for port 1947 to identify remotely accessible devices or, if they have physical access to the targeted machine, they can connect the USB dongle – even if the computer is locked – in order to make it remotely accessible.
The Gemalto product also includes an API that can be used to remotely enable and disable the administrator interface and change settings, including proxy settings for obtaining language packs. Changing the proxy allows an attacker to obtain the NTLM hash for the user account running the licensing software process.
Eleven vulnerabilities were discovered by Kaspersky in late 2016 and early 2017, and three others were found by June 2017. Gemalto has been notified and the company has implemented fixes with the release of version 7.6, but Kaspersky is not entirely happy with how the vendor has handled the situation. The first round of flaws was only resolved in late June 2017 and Gemalto did not properly communicate to customers the risks posed by these vulnerabilities – several software developers using the license management solution told Kaspersky they had not been aware of the security holes and continued using vulnerable versions.
Related: Learn More at SecurityWeek’s 2018 ICS Cyber Security Conference
In addition to installing the latest version of the Sentinel driver, Kaspersky has advised users to close port 1947 if it’s not needed for regular activities.
While the exact number of devices using this Gemalto product is unknown, Kaspersky believes it could be millions. A 2011 study by Frost and Sullivan showed that the SafeNet Sentinel had a 40 percent share in the license control solutions market in North America and 60 percent in Europe.
The vulnerable Gemalto software is found in the products of several major companies, including ABB, General Electric, HP, Cadac Group, Siemens, and Zemax.
Last week, ICS-CERT and Siemens warned that more than a dozen versions of the SIMATIC WinCC Add-On were affected by three critical and high severity vulnerabilities introduced by the use of Gemalto software. Siemens said the flaws, two of which are related to how language packs are processed, allow DoS attacks and arbitrary code execution.
Siemens told customers that the vulnerable Gemalto software is used in SIMATIC WinCC add-ons released in 2015 and earlier.
“Given how wide spread this license management system is, the possible scale of consequences is very large, because these tokens are used not only in regular corporate environments, but also in critical facilities with strict remote access rules. The latter could easily be broken with the help of the issue which we discovered to be putting critical networks in danger,” warned Vladimir Dashchenko, head of the vulnerability research group at Kaspersky ICS CERT.
Related: ICS Networks Not Immune To Insider Threats
Related: Flaw in Popular Framework Exposes Many ICS Devices to Attacks