Researchers at Kaspersky Lab’s ICS CERT have identified a number of vulnerabilities in the SafeNet Sentinel license manager. We are to some extent the ones who are responsible for this discovery, so we would like to join the vendor, Gemalto, in alerting users they need to update the drivers.
Developers generally patch critical holes in their software fairly quickly, and responsible companies release updates and warn users about the danger. But in practice, that does not always mean the vulnerabilities will be closed in a timely manner.
Some administrators might have missed the warning, and others might believe they won’t be affected. So, we’re here once more to explain what the danger is and why you need to install a patch. This is especially important when the vulnerabilities in question have been detected in a product that occupies 40% of the sales market for license manager solutions in North America and more than 60% in Europe.
What are the vulnerabilities, exactly?
For a full answer to this question with technical details, see our ICS CERT website. In a nutshell, Sentinel is a combined hardware and software solution that protects software against pirating through the use of USB dongles. The root of the problem lies in the driver installed on computers that use these Sentinel dongles.
Either the system automatically downloads the driver when the dongle is first used, or the driver is installed with the protected application. The driver’s installation process opens port 1947 (used for operating the device), and adds it to the Windows Firewall exclusions. Opening that port makes the system vulnerable to attack via the Internet.
Our researchers also discovered 14 vulnerabilities of varying degrees of severity in the driver itself. Some of them allow denial-of-service attacks, and others even permit intruders to execute arbitrary code — with system privileges, at that.
What to do
First of all, don’t panic. Gemalto has already released a patch to fix all of these vulnerabilities. If you use applications protected by Sentinel dongles but for some reason did not see or receive this warning:
- Immediately install the latest (safe) version of the driver, or contact the vendor for instructions on how to update the driver (the manufacturer of the protected solution or Gemalto directly)
- Close port 1947, at least on the external (perimeter) firewall, as long as doing so won’t disrupt your business processes.