Introduction
Description
November 8, 2013 - version 1.0
During the installation of FactoryTalk Activation Manager, a software service from SafeNet Technologies called the Sentinel Local License Manager is automatically installed along with drivers for the USB activation dongles sometimes used with FactoryTalk Activation. These USB dongles are manufactured by SafeNet Technologies.
The Sentinel Local License Manager service is configured to start automatically on the Windows host. Furthermore, the service listens on three (3) communication ports: 1947/TCP, 1947/UDP, and an additional variable UDP port.
Recent evaluation of FactoryTalk Activation manager has determined the Sentinel Local License Manager service is unnecessary when SafeNet USB activation dongles are used with FactoryTalk Activation. The service is also unnecessary or for the operation of any Rockwell Automation products.
Additionally, security testing has identified the Sentinel Local License Manager service may fail when the specific communication ports it listens on become overwhelmed, or when specifically crafted traffic is directed at these ports and the accompanying service. The failure of the Sentinel service is trapped in software. No indications have been observed for potential code injection or successful escalation of privilege on the host.
To date, we are not aware of any known cases of successful exploitation of this vulnerability in FactoryTalk Activation Manager. Furthermore, we are not aware of publicly available proof of concept exploit code.
AFFECTED PRODUCTS
FactoryTalk Activation Manager v3.30 and greater on all Microsoft Windows operating systems is affected.
RISK MITIGATION
Rockwell Automation recommends disabling the SafeNet Sentinel Local License Manager service (hasplms.exe) unless specifically required by a non-Rockwell Automation application. Instructions for performing this operation are found in Knowledge Base (AID:570831). In addition, when a host-based firewall is available, we recommend blocking communication ports 1947/TCP and 1947/UDP on the host computer.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and www.rockwellautomation.com/security for new and relevant information relating to this matter.
For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security
