Thousands of critical systems affected by serious security flaws

Security researchers have identified 14 vulnerabilities in a software licence management system used in corporate and industrial IT systems worldwide.

The vulnerabilities in the Hardware Against Software Piracy (HASP) system were discovered by the Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (ICS CERT).

The researchers urge affected users to patch their systems as soon as possible because the vulnerabilities can be exploited to carry out denial-of-service attacks, remote code execution, hash capturing and configuration manipulation.

Hundreds of thousands of systems around the world are feared to be affected by the vulnerabilities in HASP USB tokens and drivers used for software licence activation.

Once the token is attached to a PC or a server for the first time, the Windows operating system downloads the software driver from the software supplier to make the token hardware work with the computer hardware.

In other cases, the driver comes installed with third-party software which uses the HASP system for licence protection.

However, the Kaspersky Lab researchers have found that, upon installation, this software adds port 1947 of the computer to the list of exclusions of the Windows firewall with no proper user notification, making it available for a remote attack.

An attacker would only need to scan the targeted network for open port 1947 in order to identify any remotely available computers.

The researchers also found that the port remains open after the token has been detached, which is why even in a patched and protected corporate environment, an attacker would only need to install software using the HASP management system, or attach the token to a PC once – even a locked one – in order to make it available for remote attacks.

All identified vulnerabilities can potentially be very dangerous and result in big losses for businesses, the researchers said.

“Given how widespread this licence management system is, the possible scale of consequences is very large, because these tokens are used not only in regular corporate environments, but also in critical facilities with strict remote access rules,” said Vladimir Dashchenko, head of vulnerability research group, Kaspersky Lab ICS CERT.

“The latter could easily be broken with the help of the issue which we discovered to be putting critical networks in danger.”

Kaspersky Lab has reported these vulnerabilities to the affected software suppliers and the companies have subsequently released security patches.

The Kaspersky Lab ICS CERT said it “strongly recommends” that users of the affected products do the following:

• Install the latest (secure) version of the driver as soon as possible, or contact the supplier for instructions on updating the driver.
• Close port 1947, at least on the external firewall (on the network perimeter) – but only as long as this does not interfere with business processes.

The vulnerabilities have been allocated the following CVE numbers: CVE-2017-11496, CVE-2017-11497, CVE-2017-11498, CVE-2017-12818, CVE-2017-12819, CVE-2017-12820, CVE-2017-12821 and CVE-2017- 12822.