What is the extent of the vulnerability?
Xilinx was not provided with full details on the vulnerability but we do know the following:
- If you are not running a license server, you are not at risk.
- The vulnerability was rated as High
- These vulnerabilities exist on all platforms in all supported versions of the following FlexNet Publisher components:
- The vulnerability affects lmgrd and vendor daemon executables built by each FlexNet Publisher customer from object code provided by Flexera Software
- Vulnerability is greater if the application is directly exposed to the internet.
- If your license servers are behind a firewall, the risk is reduced.
The Base CVSS score is 7.6.
Only under highly-customized environments would a user of FlexNet-licensed software expose the lmgrd or vendor daemon executables to the internet.
If a user exposes either of these components to the internet, then a partial work-around is to expose them to only a trusted network until they can be patched.
Exposing either of these components to the internet raises the CVSS base score of this vulnerability to 9.0.
Are Xilinx License tools affected?
Yes, this issue affects the following:
- The lmgrd executable (versions earlier than v184.108.40.206),
- Vendor daemon executables, including xilinxd, built by each FlexNet Publisher customer from object code provided by Flexera Software (versions earlier than v220.127.116.11).
Are updated License utilities available?
Xilinx has built license utilities based on FNP v18.104.22.168.
The license utilities are attached to this answer record for Windows and Linux platforms.
The following issues should be noted before using the v22.214.171.124 utilities.
- Red Hat Enterprise Linux 5 (RHEL 5) is no longer officially supported by Flexera as a license server platform with FNP v126.96.36.199 or later server components. However, initial Red Hat Enterprise 5 testing by Xilinx has not highlighted any problems with the FNP v188.8.131.52 license server components.
Please note, RHEL 5 is still fully supported for the licensing runtime (client applications are unaffected).
- Serving an activation license with v184.108.40.206 trusted storage and v220.127.116.11 lmgrd causes the license to become untrusted. See (Xilinx Answer 66899).
Xilinx recommends that you update your license server software or make sure your license servers are behind a firewall. Updated components lmgrd and xilinxd must both be v18.104.22.168 or higher in order to eliminate this vulnerability.
License Administrator Best Practices for Mitigating Risk Exposure:
The following steps are recommended by Flexera as License Administrator best practices to help protect against this and other security vulnerabilities:
- Launch lmgrd and vendor daemon executables using a least privileged security level.
- Use the recommended security settings offered by the Operating System (OS) vendors that resist buffer/stack overflow attacks.
For example, the Data Execution Prevention (DEP) feature on Windows helps in this regard. Most OS updates also include security features that take advantage of both hardware and software based protection mechanisms against malicious code execution.
- Limit access to only administrative users by launching lmgrd with the '-2 p' command-line option, unless you are using FlexNet Manager for Engineering Applications. Refer to the product documentation for limitations related to usage of this command-line option.
- Do not use the default 27000-27009 TCP ports for lmgrd (Note: This only inhibits a hacker who does not use an intelligent port scanning tool).
The updated license utilities (v22.214.171.124) are in included with Vivado 2016.1. I.