SafeNet Sanitization Vulnerability

Tuesday, December 13, 2011 @ 01:12 PM gHale


There is an input sanitization vulnerability in SafeNet Sentinel HASP Software Rights Management (HASP-SRM) license management application.

ICS-CERT coordinated the vulnerability report with SafeNet and the researcher that found the hole, Carlos Mario Penagos Hollman of Synapse-labs. SafeNet produced an updated version that mitigates the vulnerability. Penagos tested the updated version and validates that it resolves the vulnerability.

RELATED STORIES
Holes in Schneider Ethernet Module
More Holes in CoDeSys Line
PcVue Works to Patch Vulnerabilities
New Release for Vulnerable SCADA
Hike in Public Release of SCADA Holes

The vulnerability affects the following products:
• SafeNet Sentinel HASP SDK releases older than Version 5.11
• Sentinel HASP Run-time installers older than Version 6.x
• 7 Technologies (7T) IGSS Version 7.

Successful exploitation allows an attacker to change the code in a configuration file. SafeNet is a U.S.-based company that creates products for software protection and license management. The affected products, Sentinel HASP, formerly Aladdin HASP SRM, are the digital license manager keys used to enforce digital licenses that enable the use of software or hardware. According to SafeNet’s products see use on a global basis.

7T IGSS uses the SafeNet Sentinel HASP SDK for its digital license manager to enable its software products.

The web application Sentinel HASP Admin Control Center, which the user can access remotely, does not sufficiently validate user input. This can allow attackers to craft and inject HTML code into the configuration file.

The attacker can reproduce this vulnerability using Mozilla Firefox 2.0. It is not reproducible with the current versions of Mozilla Firefox, Microsoft Internet Explorer, Opera, and Google Chrome.

CVE-2011-3339 is the number assigned to this vulnerability. SafeNet calculated a CVSS v2 base score of 4.3 and an overall score of 0.9 for this vulnerability.

SafeNet has provided the following links to allow users to download an updated version that mitigates this vulnerability:
End user
Developer

SafeNet has also provided more information regarding this vulnerability as well as installation instructions for the updated version.



Leave a Reply

You must be logged in to post a comment.