__________________________________________________________
 
                       The U.S. Department of Energy
                    Cyber Incident Response Capability
                  __   __   __       ___ __ __ ___    ___
                 |  \ |  | |_   __  /      |   |__|  /
                 |__/ |__| |__      \___ __|__ |   \ \___
        __________________________________________________________


                             INFORMATION BULLETIN

     InstallShield /  Macrovision / Acresso FLEXnet Connect Vulnerabilities
                     [US-CERT Vulnerability Note VU#837092]

October 15, 2008 21:00 GMT                                        Number T-015
______________________________________________________________________________
PROBLEM:       Acresso FLEXnet Connect executes scripts that are insecurely 
               retrieved from a remote web server, which can allow a remote, 
               unauthenticated attacker to execute arbitrary code on a 
               vulnerable system. 
PLATFORM:      Acresso FLEXnet Connect 
DAMAGE:        Execute arbitrary code. 
SOLUTION:      Upgrade to the appropriate version. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. By modifying the rule script that is sent 
ASSESSMENT:    to a FLEXnet Connect client, a remote unauthenticated attacker 
               may be able to execute arbitrary code on a vulnerable system. 
______________________________________________________________________________
CVSS 2 BASE SCORE: 6.8 
 TEMPORAL SCORE:   5.3 
 VECTOR:           (AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C) 
______________________________________________________________________________
LINKS: 
 DOE-CIRC BULLETIN:  http://doecirc.energy.gov/ciac/bulletins/t-015.shtml 
 ORIGINAL BULLETIN:  http://www.kb.cert.org/vuls/id/837092 
 CVE:                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
                     CVE-2008-1093 
______________________________________________________________________________
[***** Start US-CERT Vulnerability Note VU#837092 *****]

Vulnerability Note VU#837092
InstallShield / Macrovision / Acresso FLEXnet Connect insecurely retrieves and 
executes scripts

Overview
Acresso FLEXnet Connect executes scripts that are insecurely retrieved from a remote 
web server, which can allow a remote, unauthenticated attacker to execute arbitrary 
code on a vulnerable system. 


I. Description
Acresso FLEXnet Connect is a software package that allows vendors to provide updates 
to applications. FLEXnet Connect-enabled software has the ability to 

Check for updates from the software publisher 

Receive update files and messages from the software publisher 

Install software updates, including the ability to do so silently 

Collect and transmit system information, such as machine name, operating system, IP 
address, or other hardware details, such as network or video card properties 

Log and transmit each time an application is started, terminated, or when a specific 
feature within the application is used

Acresso FLEXnet Connect was formerly known as Macrovision FLEXnet Connect, and 
before that it was known as InstallShield Update Service.

The FLEXnet Connect client software communicates with centralized servers to check 
for updates and other product information on a periodic basis. Updates can also be 
triggered by using Internet Explorer to visit a web page that uses the FLEXnet 
Connect ActiveX control, which is provided by agent.exe. When connecting to the 
server, the client can receive special instructions (rules) to assist in evaluating 
whether an update is relevant. These instructions are provided by a GetRules.asp 
page on a web server. These rules are presented in a scripting language, such as 
VBScript.

FLEXnet Connect retrieves rules insecurely in that it uses unsigned and unencrypted 
communication using the HTTP protocol, which can allow an attacker to inject code 
that will be executed on the client system. This can happen in a number of ways, 
including 

Compromising the FLEXnet Connect servers directly. 

Filtering client system traffic through a malicious proxy. 

Compromising DNS servers or otherwise modifying the host name lookup methodology 
of a client system.

Depending on how the vendor has configured the FLEXnet Connect components, the 
check for updates may occur on a periodic basis, every time an application is 
launched, when a user checks for updates manually, or if a web page that uses 
the FLEXnet ActiveX control is visited. Any software that has been packaged with 
the vulnerable InstallShield, Macrovision, or Acresso components may be vulnerable. 


II. Impact
By modifying the rule script that is sent to a FLEXnet Connect client, a remote 
unauthenticated attacker may be able to execute arbitrary code on a vulnerable 
system. 


III. Solution

Apply an update 
This issue is addressed with the FLEXnet Connect 11.0.1 client, which comes with 
agent.exe version 11.1.100.17104. This version of FLEXnet Connect includes the 
ability to verify certificates that are provided by the FLEXnet Connect server. A 
FLEXnet Connect server that uses signed communication will add an X-FNC-Sig HTTP 
header to outgoing messages. This signature is designed to prevent the server 
response from being successfully modified by an attacker. The signature checking 
is also designed to ensure that the FLEXnet Connect client is connecting to an 
authentic FLEXnet Connect server, much in the same way that HTTPS helps to ensure 
the identity of a web site. Note that the originally-released version of the 
FLEXnet Connect 11.0.1 client, which came with agent.exe version 11.1.100.16604, 
did not completely address this vulnerability.

Note that the FLEXnet Connect 11.0.1 SDK does not enable secure communications 
by default, but the updates.installshield.com FLEXnet Connect server is currently 
distributing an update that enables this feature. This means that if a system's 
DNS has been hijacked or if the communications with the FLEXnet Connect update 
server are modified before this update can be retrieved, an attacker may be able 
to execute arbitrary code on the client system.

Because the fixed version of the FLEXnet Connect runtime is relatively new (it 
was digitally signed on September 26, 2008), it is likely to take some time 
before software that is packaged with FLEXnet Connect will receive the update 
and also configure FLEXnet Connect to verify signatures. For this reason, we 
recommend the following workarounds:

Block outbound requests that contain the string /GetRules.asp

It may be possible to prevent this vulnerability from being exploited by 
filtering outbound URLs that contain the string /GetRules.asp. Some filtering 
examples are below. These examples may not work in all cases, and may cause 
unintended side-effects. 


iptables: 
iptables -A OUTPUT -m string --algo bm --string "/GetRules.asp" -j REJECT 
Squid: 
acl blockthisURL url_regex /GetRules.asp
http_access deny blockthisURL 
Snort: 
alert tcp any any <> any 80 (msg:"GetURL_rule"; sid:12346789; uricontent:
"/GetRules.asp"; nocase;)

Disable the DWUpdateService ActiveX control in Internet Explorer

The vulnerable ActiveX control can be disabled in Internet Explorer by setting 
the kill bit for the following CLSIDs:

{551E5190-19C7-4626-9D54-FB20355E6467}
{5B7524C8-2446-40E9-9474-94A779DBA224}
{8D9BB053-FEE5-4411-B6F5-F1E37DDC3106}
{EE4E49B0-38EC-4C23-A7A6-2E190B5E3418}
{FFF2D28F-E4EE-44D9-8104-8E71556757F6}

More information about how to set the kill bit is available in Microsoft Support 
Document 240797. Alternatively, the following text can be saved as a .REG file 
and imported to set the kill bit for this control:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\
{551E5190-19C7-4626-9D54-FB20355E6467}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\
{5B7524C8-2446-40E9-9474-94A779DBA224}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\
{8D9BB053-FEE5-4411-B6F5-F1E37DDC3106}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\
{EE4E49B0-38EC-4C23-A7A6-2E190B5E3418}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\
{FFF2D28F-E4EE-44D9-8104-8E71556757F6}]
"Compatibility Flags"=dword:00000400
Note that this list of CLSIDs may not be complete. Different versions of FLEXnet 
Connect or InstallShield Update Service use different CLSIDs for the ActiveX 
control that can be used to trigger updates.

Restrict access to the FLEXnet Conect client components

The vulnerable update components can be disabled by restricting access to the 
ISSCH.EXE and ISUSPM.EXE components on Microsoft Windows Systems. These 
executable files are for the InstallShield Update Service Scheduler and the 
Macrovision FLEXnet Connect Update Manager, respectively. These programs are 
used to periodically check for software updates using FLEXnet Connect. Users 
may also wish to rename the "\Program Files\Common Files\InstallShield\UpdateService" 
or related UpdateManager folders of other products to prevent automated execution 
of these programs until a fix is provided. Note that this may interfere with a 
product's ability to retrieve updates, including security fixes.

Disable ActiveX

Disabling ActiveX controls in the Internet Zone (or any zone used by an 
attacker) appears to prevent exploitation of this and other ActiveX 
vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can 
be found in the "Securing Your Web Browser" document.  

Systems Affected
Vendor Status Date Notified Date Updated 
Acresso Software Vulnerable 2008-09-18 2008-09-30 
Adobe Not Vulnerable 2008-09-15 2008-09-19 
Corel Corporation Vulnerable  2008-09-16 
F-Secure Corporation Not Vulnerable 2008-09-15 2008-09-19 
IBM Corporation Vulnerable  2008-09-17 
InstallShield Vulnerable  2008-09-30 
Intel Corporation Not Vulnerable 2008-09-15 2008-09-19 
Macrovision Vulnerable 2008-09-15 2008-09-30 
Microsoft Corporation Not Vulnerable 2008-09-15 2008-09-24 
Roxio Vulnerable  2008-09-16 

References
http://www.cert.org/tech_tips/securing_browser/#Internet_Explorer
http://www.simplicity.net/vuln/CVE-2008-1093.txt
http://secunia.com/advisories/31896/ 

Credit
Thanks to Brian Dowling of Simplicity Communications for reporting this 
vulnerability. 

This document was written by Will Dormann. 

Other Information
Date Public: 2008-09-16 
Date First Published: 2008-09-16 
Date Last Updated: 2008-10-09 
CERT Advisory:   
CVE-ID(s): CVE-2008-1093 
NVD-ID(s): CVE-2008-1093 
US-CERT Technical Alerts:   
Metric: 9.90 
Document Revision: 58 


[***** End US-CERT Vulnerability Note VU#837092 *****]
_______________________________________________________________________________

DOE-CIRC wishes to acknowledge the contributions of US-CERT for the 
information contained in this bulletin.
_______________________________________________________________________________


DOE-CIRC provides the U.S. Department of Energy with incident response, 
reporting, and tracking, along with other computer security support. 
DOE-CIRC is a member of GFIRST, the Government Forum of Incident 
Responders and Security Teams and FIRST an international incident 
response and security organization. 

DOE-CIRC services are available to DOE and DOE contractors. DOE-CIRC
can be contacted at:
    Voice:    +1 866-941-2472 (7x24)
    FAX:      +1 702-932-0189
    STU-III:  Call the voice number.
    E-mail:   doecirc@doecirc.energy.gov

Previous DOE-CIRC notices, anti-virus software, and other information are
available from the DOE-CIRC Computer Security Archive.

   World Wide Web:      http://doecirc.energy.gov/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive DOE-CIRC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with DOE-CIRC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor any agency thereof, nor any of their employees, 
makes any warranty, express or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial product,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or
any agency thereof. The views and opinions of originators expressed
herein do not necessarily state or reflect those of the United States
Government or any agency thereof.

LAST 10 DOE-CIRC Bulletins

S-213: Nukedit 'email' Parameter Vulnerability
S-214: SurgeMail and WebMail 'Page' Command Vulnerability
S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities
S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability
S-217: Drupal Multiple HTML Vulnerabilities
S-218: gd Security Update
S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability
S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability
S-221: Learn2 STRunner ActiveX Control Vulnerabilities
S-222: Evolution Security Update