Sentinel Agent and Manager Sentinel is a new feature included in System Platform 2017 Update 3. Sentinel constantly monitors the License Server to ensure that it is accessible. In the event that the connection to the License Server is lost, Sentinel can be configured to send a warning message so you can quickly fix any issues and ensure. This Tech Note details the ArchestrA License Server installation and configuration procedure. The Tech Note applies to Wonderware products that utilize the Wonderware ArchestrA License Server (such as Wonderware ActiveFactory 9.2 and Wonderware Information Server 3.0).
1. EXECUTIVE SUMMARY
- ATTENTION: Exploitable remotely/Low skill level to exploit
- Vendor: AVEVA Software, LLC (AVEVA)
- Equipment: Wonderware License Server
- Vulnerability: Improper Restriction of Operations within the Bounds of a Memory Buffer
2. RISK EVALUATION
Successful exploitation of this vulnerability may result in remote code execution with administrative privileges.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Wonderware License Server use the vulnerable Flexara Imgrd (Versions 11.13.1.1 and prior):
- Wonderware License Server v4.0.13100 and prior.
Only users with the Counted Licenses feature with “ArchestrAServer.lic” in Wonderware License Server are affected.
Wonderware License Server is delivered by:
- Wonderware Information Server 4.0 SP1 and prior, and
- Historian Client 2014 R4 SP2 P02 and prior.
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119
Buffer overflows in lmgrd and vendor daemon in Flexera FlexNet Publisher may allow remote attackers to execute arbitrary code via a crafted packet, resulting in remote code execution with administrator privileges.
CVE-2015-8277 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy, Food and Agriculture, and Water and Wastewater
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: United Kingdom
3.4 RESEARCHER
An anonymous researcher reported this vulnerability to AVEVA, who then reported it to NCCIC.
Wonderware License Cost
4. MITIGATIONS
AVEVA recommends affected users install update “Hotfix Wonderware License Server VU-485744” or later, which can be downloaded from:
https://softwaresupportsp.schneider-electric.com/#/producthub/details?id=5076 (login required)
AVEVA has published Security Bulletin LFSEC00000129. It can be found at the following location:
NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.
No known public exploits specifically target this vulnerability.
Contact Information
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
For industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics
or incident reporting: https://us-cert.cisa.gov/report
CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.
This product is provided subject to this Notification and this Privacy & Use policy.
Please share your thoughts.
We recently updated our anonymous product survey; we'd welcome your feedback.
ArcGIS License Manager 2020.1 uses FlexNet Publisher license management software. Details on the version of FlexNet Publisher used in each version of ArcGIS License Manager can be found in Technical Article 13214. This version of the license manager will support all product releases listed within the Supported Software Products topic. Visit the Existing users page for information on migrating from version 9.x to 2020.1.
Caution:
If licensing ArcGIS products in the cloud or in virtualized environments using ArcGIS License Manager, please refer to the Esri whitepaper on cloud licensing for more information, including details about supported cloud instance types.
For customers using ArcGIS License Manager to authorize ArcGIS Pro and Premium App named user licenses via a Portal for ArcGIS installation, please refer to the Configure License Manager for use with Portal for ArcGIS topic for details on authorization and configuration. To install the License Manager software, follow the instructions below.
Note:
You do not need to uninstall existing ArcGIS software products to install the license manager, but you do need to uninstall 10.0 or older versions of the license manager to install the latest version. Before installing ArcGIS License Manager 2020.1, please review the System Requirements.
Important: Starting with ArcGIS License Manager 2019.0 (Linux platforms only), the FlexNet licensing service must be installed as a separate step following install of the ArcGIS License Manager setup, both for clean installs or for in-place upgrades of the software. If the FlexNet licensing service is not installed, this will result in issues where clients cannot connect to the ArcGIS License Manager. At the completion of the ArcGIS License Manager install, instructions will be displayed for completing the installation of the FlexNet licensing service, which require the user to provide root privileges for the install to proceed. If the FlexNet licensing service is not installed at this stage, it must be manually installed separately. Please see the section below titled Manually installing the FlexNet licensing service (applies to Linux Platforms only) for details.
ArcGIS License Manager communicates through TCP/IP, which must be installed and functioning properly on your Windows license server. In addition, TCP/IP requires that either a network card, along with its drivers, or the MS Loopback Adapter be installed on your Windows machine. An Internet connection is also strongly recommended for the license authorization process. If you do not have an Internet connection on the license manager machine, you can select the email or website authorization option on the Authorization Method panel of the Software Authorization Wizard.
Installing the ArcGIS License Manager
Upon purchasing your ArcGIS products, you will receive an email from Esri Customer Service listing the purchased products and associated authorization numbers and license counts. Alternatively, you can visit the My Esri site to obtain authorization information. Follow the steps below to install, authorize, and start the license manager:
- Run the License Manager setup from your My Esri software download or from the ArcGIS installation media.
- Follow the instructions to install the license manager and FlexNet licensing service. At the end of the installation, ArcGIS License Server Administrator appears. If you did not install the FlexNet licensing service during the License Manager setup, you must manually install the FlexNet licensing Service before attempting step 3. Please see the section below titled Manually installing the FlexNet licensing service (applies to Linux Platforms only) for details.
- Complete the authorization process and start the license service. If you choose to do this step at a later time, on Windows, you can access License Server Administrator from Start > Programs > ArcGIS > License Server Administrator. On Linux, you can run License Server Administrator from the installation location using the following command: <installation_path>/arcgis/licensemanager/LSAdmin.
- Click Authorization in the table of contents, select a version from the Version drop-down list, and click the Authorize Now button to launch the Software Authorization Wizard.
- Follow the instructions on the dialog boxes to complete the authorization process. A provisioning file (*.prvs) generated on the My Esri portal can be used to speed up the authorization process for concurrent use. This file fills in all the necessary user and product authorization information in the wizard. More information on provisioning files can be found in the section Provisioning Files.
- Click Finish to close the wizard and return to License Server Administrator.
Manually installing the FlexNet licensing service (applies to Linux Platforms only)
- Navigate to <installation_path>/arcgis/licensemanager
- Run install_fnp.sh. This shell script configures the FlexNet licensing service executable to run as a root-privilege setuid process.
- The FlexNet licensing service daemon needs to run continuously. Therefore, a further installation step is required to ensure it is started a boot time. Because the FlexNet licensing service daemon does not need to run with root privilege, it can be started by adding the following line to a nominated user's crontab (In the case of ArcGIS License Manager 2020.1): @reboot /usr/local/share/FNP/service/11.16.5/FNPLicensingService -r 2>&1 >/tmp/fnpd.log
Windows installations, or Linux installations of ArcGIS License Manager 2018.1 and earlier do not require the additional step of installing the FlexNet licensing service.
Authorizing licenses silently
Run the following command to use the License Manager and a provisioning file generated from My Esri to silently authorize ArcGIS Desktop 10.1-10.8.1, ArcGIS Engine 10.1-10.8.1, ArcGIS CityEngine 2012.0-2021.0, and ArcGIS Pro 1.2-2.7 concurrent use licenses:
softwareauthorizationLS.exe -S -VER 10.8 -LIF <path to the *.prvs file>
A -verbose switch can be added to the above command to display the status of the authorization process on the command line.
On Linux, use the following syntax:
$ ./SoftwareAuthorizationLS -S -VER 10.8 -LIF <path to the *.prvs file>
Note:
When accessing the Software Authorization Wizard through terminal services in a Linux environment, a valid display must be set. Technical Article 12175 provides more information on how to setup an Xvfb display to use ArcGIS software through terminal services in a Linux environment .
Authorizing licenses offline
If the machine hosting your license manager does not have access to the Internet, you can complete the authorization process in an offline mode. After launching the Software Authorization Wizard as described in step 4 above, follow these instructions:
- On the second dialog box of the authorization wizard, select the option Authorize at Esri's website or by email to receive your authorization file.
- Follow the instructions on the rest of the dialog boxes and save the authorization request file when prompted at the end. By default, this will be saved as authorize.txt.
- Follow the instructions on the last dialog box to send or upload the file from a machine that has email and/or Internet access.
- Esri Customer Service will process the request and return the response file (*.resps) that contains your licenses.
- Save this file to your license manager host machine and relaunch the Software Authorization Wizard from the License Server Administrator.
- On the first panel, select the third option I have received an authorization file from Esri and am now ready to finish the authorization process and browse to the response file to complete your authorization.
Upgrading licenses from 10.1 through 10.7 to 10.8.x
Concurrent use ArcGIS Desktop 10.8.x and Engine 10.8.x use the same 10.1-10.8 licenses. If you have previously authorized 10.1-10.8 licenses on your License Manager and did not deauthorize your licenses before installing ArcGIS License Manager 2020.1, you do not need to reauthorize your ArcGIS License Manager. Follow the instructions below for upgrading your License Manager software from 10.1-10.6, or 2018.0-2020.0 to version 2020.1.
Note:
If you perform an in-place upgrade of the ArcGIS License Manager software, there is also no requirement to re-authorize your ArcGIS Pro or ArcGIS CityEngine concurrent use licenses. The licenses will continue to work.
Upgrading from 10.3-10.6, or 2018.0-2020.0 to ArcGIS License Manager 2020.1 with named user licenses
Named user licenses for use with a Portal for ArcGIS instance remain the same with ArcGIS License manager 2020.1. If you perform an in-place upgrade of the ArcGIS License Manager software, there is no need to re-authorize your valid named user licenses or export the Portal JSON file to Portal for ArcGIS. The in-place upgrade instructions for ArcGIS License Manager software can found in the below section titled Upgrading License Manager software from 10.1-10.6, or 2018.0-2020.0 to License Manager 2020.1.
Upgrading License Manager software from 10.1-10.6 or 2018.0-2020.0 to ArcGIS License Manager 2020.1
ArcGIS Desktop and Engine 10.1-10.8 licenses will operate with ArcGIS Desktop and Engine 10.8.x, and no license upgrade is required. However, any client software operating at version 10.8.x must use a 2020.0 License Manager or higher. To upgrade ArcGIS 10.1-10.6, or 2018.0-2020.0 License Manager software to ArcGIS License Manager 2020.1, follow these instructions:
- Open the License Server from Start > Programs > ArcGIS > License Server Administrator. On Linux, you can run License Server Administrator (in the case of version 2020.0) from the installation location using the following command: <installation_path>/arcgis/licensemanager/LSAdmin.
- Stop the License Service under Start/Stop License service and exit the License Server Administrator.
- Install ArcGIS License Manager 2020.1 and the FlexNet licensing service. The installer will automatically uninstall your ArcGIS License Manager 10.1-10.6 or 2018.0-2020.0, and install ArcGIS License Manager 2020.1 and in some cases may prompt to install the FlexNet licensing service. If the FlexNet licensing service was not installed following the ArcGIS License Manager installation, the FlexNet licensing service must be installed manually before proceeding with step 4. Please see section above titled Manually installing the FlexNet licensing service (applies to Linux Platforms only) for more details.
- Open the License Server from Start > Programs > ArcGIS > License Server Administrator. On Linux, you can run License Server Administrator from the installation location using the following command: <installation_path>/arcgis/licensemanager/LSAdmin. .
- Start the license service under Start/Stop License Service and exit the License Server Administrator. ArcGIS License Manager 2020.1 is now ready for use.
Upgrading older software and licenses from 10.0 to 10.1 or newer (including License Manager 2020.1)
ArcGIS 10.0 licenses will not operate ArcGIS 10.1-10.8.x software. You must deauthorize your 10.0 licenses before uninstalling the ArcGIS 10.0 License Manager.
- Open the License Server Administrator from Start > Programs > ArcGIS > License Server Administrator.
- Select the Authorization option in the left hand panel, then press the Deauthorize... button. The Software Authorization Wizard will open.
- Step through the Software Authorization Wizard to complete the deauthorization process. You can opt to deauthorize online or offline via email or My Esri file upload.
- Close the License Server Administrator.
- Uninstall the ArcGIS 10.0 License Manager.
- Install ArcGIS 10.1 or newer License Manager.
- Go to the Authorization folder, click Authorize Now, and follow the instructions to complete the authorization process.
Configuring a firewall
In some cases, a firewall may block inbound and outbound traffic to the ArcGIS License Manager preventing license usage from client machines, requiring ports to be opened in the firewall of the license manager host. Please refer to the topic Configure ArcGIS License Manager to work through a firewall.
Contacting Esri Customer Service
If for any reason you are unable to locate your authorization information, you can contact Esri Customer Service and request that it be resent.
Install Archestra License Manager Duties
In the United States, you can contact Esri Customer Service by calling 888-377-4575, or visit the My Esri site.
Wonderware License Manager
Outside the United States, contact your local Esri distributor.