search menu icon-carat-right cmu-wordmark

CERT Coordination Center

InstallShield / Macrovision / Acresso FLEXnet Connect insecurely retrieves and executes scripts

Vulnerability Note VU#837092

Original Release Date: 2008-09-16 | Last Revised: 2008-11-28

Overview

Acresso FLEXnet Connect executes scripts that are insecurely retrieved from a remote web server, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Acresso FLEXnet Connect is a software package that allows vendors to provide updates to applications. FLEXnet Connect-enabled software has the ability to

    • Check for updates from the software publisher
    • Receive update files and messages from the software publisher
    • Install software updates, including the ability to do so silently
    • Collect and transmit system information, such as machine name, operating system, IP address, or other hardware details, such as network or video card properties
    • Log and transmit each time an application is started, terminated, or when a specific feature within the application is used
Acresso FLEXnet Connect was formerly known as Macrovision FLEXnet Connect, and before that it was known as InstallShield Update Service.

The FLEXnet Connect client software communicates with centralized servers to check for updates and other product information on a periodic basis. Updates can also be triggered by using Internet Explorer to visit a web page that uses the FLEXnet Connect ActiveX control, which is provided by agent.exe. When connecting to the server, the client can receive special instructions (rules) to assist in evaluating whether an update is relevant. These instructions are provided by a GetRules.asp page on a web server. These rules are presented in a scripting language, such as VBScript.

FLEXnet Connect retrieves rules insecurely in that it uses unsigned and unencrypted communication using the HTTP protocol, which can allow an attacker to inject code that will be executed on the client system. This can happen in a number of ways, including
    1. Compromising the FLEXnet Connect servers directly.
    2. Filtering client system traffic through a malicious proxy.
    3. Compromising DNS servers or otherwise modifying the host name lookup methodology of a client system.
    Depending on how the vendor has configured the FLEXnet Connect components, the check for updates may occur on a periodic basis, every time an application is launched, when a user checks for updates manually, or if a web page that uses the FLEXnet ActiveX control is visited. Any software that has been packaged with the vulnerable InstallShield, Macrovision, or Acresso components may be vulnerable.

    Impact

    By modifying the rule script that is sent to a FLEXnet Connect client, a remote unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.

    Solution

    Apply an update
    This issue is addressed with the FLEXnet Connect 11.0.1 client, which comes with agent.exe version 11.1.100.17104. This version of FLEXnet Connect includes the ability to verify certificates that are provided by the FLEXnet Connect server. A FLEXnet Connect server that uses signed communication will add an X-FNC-Sig HTTP header to outgoing messages. This signature is designed to prevent the server response from being successfully modified by an attacker. The signature checking is also designed to ensure that the FLEXnet Connect client is connecting to an authentic FLEXnet Connect server, much in the same way that HTTPS helps to ensure the identity of a web site. Note that the originally-released version of the FLEXnet Connect 11.0.1 client, which came with agent.exe version 11.1.100.16604, did not completely address this vulnerability.

    Note that the FLEXnet Connect 11.0.1 SDK does not enable secure communications by default, but the updates.installshield.com FLEXnet Connect server is currently distributing an update that enables this feature. This means that if a system's DNS has been hijacked or if the communications with the FLEXnet Connect update server are modified before this update can be retrieved, an attacker may be able to execute arbitrary code on the client system.

    Because the fixed version of the FLEXnet Connect runtime is relatively new (it was digitally signed on September 26, 2008), it is likely to take some time before software that is packaged with FLEXnet Connect will receive the update and also configure FLEXnet Connect to verify signatures. For this reason, we recommend the following workarounds:


    Block outbound requests that contain the string /GetRules.asp

    It may be possible to prevent this vulnerability from being exploited by filtering outbound URLs that contain the string /GetRules.asp. Some filtering examples are below. These examples may not work in all cases, and may cause unintended side-effects.

      • iptables:
        iptables -A OUTPUT -m string --algo bm --string "/GetRules.asp" -j REJECT
      • Squid:
        acl blockthisURL url_regex /GetRules.asp
        http_access deny blockthisURL
      • Snort:
        alert tcp any any <> any 80 (msg:"GetURL_rule"; sid:12346789; uricontent:"/GetRules.asp"; nocase;)

    Disable the DWUpdateService ActiveX control in Internet Explorer

    The vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSIDs:
      {551E5190-19C7-4626-9D54-FB20355E6467}
      {5B7524C8-2446-40E9-9474-94A779DBA224}
      {8D9BB053-FEE5-4411-B6F5-F1E37DDC3106}
      {EE4E49B0-38EC-4C23-A7A6-2E190B5E3418}
      {FFF2D28F-E4EE-44D9-8104-8E71556757F6}
    More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:
      Windows Registry Editor Version 5.00

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{551E5190-19C7-4626-9D54-FB20355E6467}]
      "Compatibility Flags"=dword:00000400

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{5B7524C8-2446-40E9-9474-94A779DBA224}]
      "Compatibility Flags"=dword:00000400

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8D9BB053-FEE5-4411-B6F5-F1E37DDC3106}]
      "Compatibility Flags"=dword:00000400

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{EE4E49B0-38EC-4C23-A7A6-2E190B5E3418}]
      "Compatibility Flags"=dword:00000400

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FFF2D28F-E4EE-44D9-8104-8E71556757F6}]
      "Compatibility Flags"=dword:00000400
    Note that this list of CLSIDs may not be complete. Different versions of FLEXnet Connect or InstallShield Update Service use different CLSIDs for the ActiveX control that can be used to trigger updates.

    Restrict access to the FLEXnet Conect client components

    The vulnerable update components can be disabled by restricting access to the ISSCH.EXE and ISUSPM.EXE components on Microsoft Windows Systems. These executable files are for the InstallShield Update Service Scheduler and the Macrovision FLEXnet Connect Update Manager, respectively. These programs are used to periodically check for software updates using FLEXnet Connect. Users may also wish to rename the "\Program Files\Common Files\InstallShield\UpdateService" or related UpdateManager folders of other products to prevent automated execution of these programs until a fix is provided. Note that this may interfere with a product's ability to retrieve updates, including security fixes.

    Disable ActiveX

    Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document. 

    Vendor Information

    837092
     
    Affected   Unknown   Unaffected

    Acresso Software

    Notified:  September 18, 2008 Updated:  September 30, 2008

    Status

      Vulnerable

    Vendor Statement

    The vulnerability that you refer to has been corrected in more recent versions of the product.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    This issue is addressed with the FLEXnet Connect 11.0.1 client, which comes with agent.exe version 11.1.100.17104. This version of FLEXnet Connect includes the ability to verify certificates that are provided by the FLEXnet Connect server. A FLEXnet Connect server that uses signed communication will add an X-FNC-Sig HTTP header to outgoing messages. This signature is designed to prevent the server response from being successfully modified by an attacker. The signature checking is also designed to ensure that the FLEXnet Connect client is connecting to an authentic FLEXnet Connect server, much in the same way that HTTPS helps to ensure the identity of a web site. Note that the originally-released version of the FLEXnet Connect 11.0.1 client, which came with agent.exe version 11.1.100.16604, did not completely address this vulnerability.

    Note that the FLEXnet Connect 11.0.1 SDK does not enable secure communications by default, but the updates.installshield.com FLEXnet Connect server is currently distributing an update that enables this feature. This means that if a system's DNS has been hijacked or if the communications with the FLEXnet Connect update server are modified before this update can be retrieved, an attacker may be able to execute arbitrary code on the client system.

    Because the fixed version of the FLEXnet Connect runtime is relatively new (it was digitally signed on September 26, 2008), it is likely to take some time before software that is packaged with FLEXnet Connect will receive the update and also configure FLEXnet Connect to verify signatures.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Corel Corporation

    Updated:  September 16, 2008

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    Our testing has shown that Corel Paint Shop Pro X is vulnerable. Other applications may also provide the vulnerable components.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    IBM Corporation

    Updated:  September 17, 2008

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    Our testing has shown that IBM Rational AppScan is vulnerable. Other applications may also provide the vulnerable components.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    InstallShield

    Updated:  September 30, 2008

    Status

      Vulnerable

    Vendor Statement

    The vulnerability that you refer to has been corrected in more recent versions of the product.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    This issue is addressed with the FLEXnet Connect 11.0.1 client, which comes with agent.exe version 11.1.100.17104. This version of FLEXnet Connect includes the ability to verify certificates that are provided by the FLEXnet Connect server. A FLEXnet Connect server that uses signed communication will add an X-FNC-Sig HTTP header to outgoing messages. This signature is designed to prevent the server response from being successfully modified by an attacker. The signature checking is also designed to ensure that the FLEXnet Connect client is connecting to an authentic FLEXnet Connect server, much in the same way that HTTPS helps to ensure the identity of a web site. Note that the originally-released version of the FLEXnet Connect 11.0.1 client, which came with agent.exe version 11.1.100.16604, did not completely address this vulnerability.

    Note that the FLEXnet Connect 11.0.1 SDK does not enable secure communications by default, but the updates.installshield.com FLEXnet Connect server is currently distributing an update that enables this feature. This means that if a system's DNS has been hijacked or if the communications with the FLEXnet Connect update server are modified before this update can be retrieved, an attacker may be able to execute arbitrary code on the client system.

    Because the fixed version of the FLEXnet Connect runtime is relatively new (it was digitally signed on September 26, 2008), it is likely to take some time before software that is packaged with FLEXnet Connect will receive the update and also configure FLEXnet Connect to verify signatures.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Macrovision

    Notified:  September 15, 2008 Updated:  September 30, 2008

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    This issue is addressed with the FLEXnet Connect 11.0.1 client, which comes with agent.exe version 11.1.100.17104. This version of FLEXnet Connect includes the ability to verify certificates that are provided by the FLEXnet Connect server. A FLEXnet Connect server that uses signed communication will add an X-FNC-Sig HTTP header to outgoing messages. This signature is designed to prevent the server response from being successfully modified by an attacker. The signature checking is also designed to ensure that the FLEXnet Connect client is connecting to an authentic FLEXnet Connect server, much in the same way that HTTPS helps to ensure the identity of a web site. Note that the originally-released version of the FLEXnet Connect 11.0.1 client, which came with agent.exe version 11.1.100.16604, did not completely address this vulnerability.

    Note that the FLEXnet Connect 11.0.1 SDK does not enable secure communications by default, but the updates.installshield.com FLEXnet Connect server is currently distributing an update that enables this feature. This means that if a system's DNS has been hijacked or if the communications with the FLEXnet Connect update server are modified before this update can be retrieved, an attacker may be able to execute arbitrary code on the client system.

    Because the fixed version of the FLEXnet Connect runtime is relatively new (it was digitally signed on September 26, 2008), it is likely to take some time before software that is packaged with FLEXnet Connect will receive the update and also configure FLEXnet Connect to verify signatures.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Roxio

    Updated:  November 27, 2008

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    http://kb.roxio.com/content/kb/General%20Information/000072GN

    Addendum

    Our testing has shown that Roxio DigitalMedia Archive is vulnerable. Other applications may also provide the vulnerable components.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Adobe

    Notified:  September 15, 2008 Updated:  September 19, 2008

    Status

      Not Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Cisco Systems, Inc.

    Notified:  September 15, 2008 Updated:  November 05, 2008

    Status

      Not Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    F-Secure Corporation

    Notified:  September 15, 2008 Updated:  September 19, 2008

    Status

      Not Vulnerable

    Vendor Statement

    F-Secure do not provide any software that includes the vulnerable components described in the VU#837092 case.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Intel Corporation

    Notified:  September 15, 2008 Updated:  September 19, 2008

    Status

      Not Vulnerable

    Vendor Statement

    InstallShield Update Agent is not in use at Intel.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Microsoft Corporation

    Notified:  September 15, 2008 Updated:  September 24, 2008

    Status

      Not Vulnerable

    Vendor Statement

    It appears that we are not affected by this issue.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.


    CVSS Metrics

    Group Score Vector
    Base N/A N/A
    Temporal N/A N/A
    Environmental N/A

    References

    Credit

    Thanks to Brian Dowling of Simplicity Communications for reporting this vulnerability.

    This document was written by Will Dormann.

    Other Information

    CVE IDs: CVE-2008-1093
    Severity Metric: 9.90
    Date Public: 2008-09-16
    Date First Published: 2008-09-16
    Date Last Updated: 2008-11-28 04:57 UTC
    Document Revision: 61

    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.