FlexNet vulnerability: lmgrd Remote Code Execution

Zero Day has reported that a security vulnerability has been discovered in FlexNet License Server Manager installations. This vulnerability enables attackers to execute arbitrary code on remote FlexNet License Server managers. Authentication is not required to exploit this vulnerability. The flaw was reported by Luigi Auriemma and Alexander Gavrun.

The specific flaw exists within lmgrd license server manager. lmgrd listens by default on TCP port 27000. A specially crafted packet sent to the server will cause a stack overflow allowing for remote code execution under the context of the server.

Flexera Software has issued an update to correct this vulnerability and also provided license administrators best practices for mitigating risk exposure.

More details can be found at:

http://www.flexerasoftware.com/pl/13057.htm