Security flaws in licence management system could 'affect thousands'
Researchers have warned that a series of security flaws found in a widely-used software management system could affect thousands of critical systems across the corporate world.
Security experts at the Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (ICS CERT) have found 14 distinct loopholes in a software licence management system that is used by business worldwide, the Hardware Against Software Piracy (HASP) system.
The Kaspersky team have encouraged affected users to install the latest patches for the software as soon as possible, with the vulnerabilities in some builds able to be exploited for DDOS attacks, remote code execution, hash capturing and configuration manipulation.
HASP is used on USB tokens and many drivers to activate software licences on an organisation-wide level. Any vulnerabilities in the system would affect hundreds of thousands of systems around the world.
Once a USB token is attached to a PC or a server, the operating system allows for a download of the latest driver from the software provider to pair the token with computer hardware. Researchers have discovered, however, that upon installation the software opens up port 1947 to the list of exclusions from Windows firewall without alerting the user.
The port remains open even once the token has been detached from a given computer, meaning that updates, patches and other changes would not protect even a locked PC.
Would-be attackers would only need to scan for any vulnerabilities on the relevant port to find any remotely accessible computers.
Vladimir Dashchenko, head of vulnerability research group in the Kaspersky Lab ICS CERT, said that the possible scale of consequences would be “very large” as HASP tokens are not just used in normal corporate environments, but also “critical facilities with strict remote access rules”.
He added: “The latter could easily be broken with the help of the issue which we discovered to be putting critical networks in danger.”