Security Bulletin: Vulnerability in Rational License Key Server affecting both the license server, lmgrd, and the vendor daemon, ibmratl (CVE-2011-1389)

Internal Use Only

A possible security vulnerability has been reported in the FlexNet Publisher lmgrd license server manager as well as vendor daemons. There have been no reported exploits of this possible vulnerability and to date it has not been reported by FlexNetSoftware users. This vulnerability impacts the following license server:

IBM Rational License Key Server 8.1.2
IBM Rational License Key Server 8.1.1
IBM Rational License Key Server 8.0
Rational License Server v7.x
Telelogic License Server 2.0

VULNERABILITY DETAILS:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of FlexNet Publisher license server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the license server manager which listens on TCP port 27000. There are multiple problems that allow an attacker to influence the saving and loading of log files on the server. By utilizing a directory traversal issue and some file renaming bugs, an attacker can leverage this vulnerability to execute arbitrary code under the user context running the license server manager/vendor daemon.

CVSS:
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/71739 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

AFFECTED PLATFORMS:

The list of platforms affected by this vulnerability is as follows.

AIX 5.1
AIX 5.2.*
AIX 5.3.*
AIX 6.1.*
HP-UX 11.0 PA-RISC
HP-UX 11i v1 PA-RISC
HP-UX 11i v2 IA64
HP-UX 11i v2 PA-RISC
Red Hat Enterprise Linux 3
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Server 9
Solaris 10 SPARC
Solaris 8 x86-32
Solaris 9 x86-32
Windows 2000 SP4 Advanced Server/Server/Professional
Windows Server 2003 SP2 Enterprise/Standard x86-32
Windows Server 2003 SP2 Enterprise/Standard x86-64
Windows XP SP2 Professional x86-32
Windows Server 2008 Enterprise/Standard x86-32
Windows Server 2008 Enterprise/Standard x86-64
Windows Server 2008 R2 Enterprise x86-32
Windows Server 2008 R2 Enterprise x86-64
Windows Vista Business/Enterprise/Ultimate SP2 x86-32
Windows 7 Enterprise/Professional/Ultimate x86-32
Windows 7 Enterprise/Professional/Ultimate x86-64

Note:- All the versions of the License Server may not run on all of the above platforms.


REMEDIATION:
The recommended solution is to apply the iFixes provided by IBM as outlined here.

Vendor Fix(es):

For IBM RLKS 812 or RLKS 8.1.1 Users

An iFix is available to address this vulnerability. Links for downloading the fixes and the installation instructions are listed below.

RLKS 8.1.2 iFixes Download Link
RLKS 8.1.1 iFixes Download Link

How to install the iFixes

To install the Rational License Key Server fix on Windows platforms:
1. Download the Windows iFix.zip file.
2. Extract the compressed files to an appropriate directory.
3. Add the fix pack repository location in Installation Manager as follows:
a) Launch IBM Installation Manager.
b) Click File->Preferences->Repositories.
c) Click Add Repository.
d) Browse to or enter the file path to the repository.config file. The repository.config file is located in the sub-directory "ifix" where you extracted the compressed files.
4. Stop the Rational License Key Server before installing the iFix. Make sure the following processes are not running - lmgrd, lmutil, lmtools and ibmratl.
5. On the main page of Installation Manager, click Update.
6. Follow the instructions to install the Fix Pack.
7. Start the Rational License Key Server.

To install the Rational License Key Server fix on Unix platforms:
1. Download the Windows iFix.zip file.
2. Extract the iFix.tar: tar -xvf <iFix>.tar
3. Go to the installation location of the license server.
4. Navigate to the config sub-folder.
5. Run the start_lmgrd_on_this_host script file with the stop option: ./start_lmgrd_on_this_host stop
6. The license server stops. To verify, run the command: ps -ef | grep lmgrd
7. Navigate to sub-directory <installation_directory>/base/cots/flexlm.11.8/<Platform>
8. Overwrite files in this directory with all the files from the iFix.
9. Go to the <installation_directory>/config/ directory.
10. Start the license server using the command: ./start_lmgrd_on_this_host start

For IBM RLS 8.x, RLS 7.x and IBM Telelogic License Server 2.0 Users

There are no plans to release fixes for Rational License Server v8.x, v7.x and Telelogic License Server 2.0. IBM recommends all customers using these versions of license servers migrate to IBM Rational License Key server 8.1.2 and update the IBM Rational License Key server 8.1.2 with the fix for the security vulnerability described in this Technote.

Instructions on migrating to RLKS 8.1.2 are available through this Info Center Link.

Migration to RLKS 8.1.2

RLKS 8.1.2 can be downloaded from your Passport Advantage account or here

812 Download Link

Workaround(s):
None

Mitigation(s):
Users, who do not wish to migrate to the IBM RLKS 8.1.2, can use one of the possible mitigations as mentioned in TechNote 1573825.

REFERENCES:
This security vulnerability was reported by Zero Day Initiative.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.