Critical Privilege Escalation Vulnerability in Schneider Electric Floating License Manager (CVE-2024-2658)
A high-severity vulnerability (CVE-2024-2658) has been identified in Schneider Electric’s Floating License Manager (FLM), specifically within the FlexNet Publisher component a third-party licensing library integrated into industrial automation software. The flaw, classified as CWE-427 (Uncontrolled Search Path Element), allows a local non-administrative user to escalate privileges to NT AUTHORITY\SYSTEM, granting full control over affected systems.
Vulnerability Mechanics
The issue stems from lmadmin.exe, a core licensing service in Schneider Electric FLM, which references a hardcoded OpenSSL configuration file path (C:\cygwin\home\nightly\LMADMI~1.4\tier1\lmadmin\contrib\openssl\_RELEA~1\openssl\openssl.cnf). Due to default Windows NTFS permissions, any authenticated user can recreate this directory structure and place a malicious openssl.cnf file containing a dynamic_path parameter pointing to a rogue DLL.
When lmadmin.exe (running under NT AUTHORITY\LOCAL SERVICE) restarts via reboot, service restart, or other triggers it loads the attacker-controlled DLL, executing arbitrary code in the service’s context. Exploiting SeImpersonatePrivilege, an attacker can further escalate to NT AUTHORITY\SYSTEM, enabling:
- Full system compromise (configuration files, sensitive data, stored credentials).
- Lateral movement across industrial networks (engineering workstations, PLCs, SCADA systems).
- Disruption of license services, impacting critical automation software availability.
Affected Systems & Scope
- Software: Schneider Electric FLM (versions prior to 3.0.0.0) using FlexNet Publisher ≤11.19.6.0.
- Environment: Industrial automation deployments (PLC programming, SCADA, control rooms).
- Attack Vector: Local access required; no remote exploitation possible without prior foothold.
Detection & Mitigation
- Detection: Kaspersky Industrial CyberSecurity (KICS) flags vulnerable versions and monitors exploitation attempts, including rogue configuration file creation and DLL loading.
- Mitigation Steps:
- Upgrade to Schneider Electric FLM 3.0.0.0 or later.
- Restrict directory permissions on
C:\cygwinto deny write access for Authenticated Users. - Isolate FLM on dedicated servers with strict access controls.
- Remove FLM if floating licenses are unnecessary, opting for machine-bound licensing.
Impact
Successful exploitation could lead to complete industrial control system (ICS) compromise, enabling attackers to manipulate automation processes, exfiltrate sensitive data, or disrupt operations. The vulnerability underscores risks in third-party dependencies and hardcoded path vulnerabilities in critical infrastructure software.
Source: https://securelist.com/tr/schneider-electric-cve-2024-2658-vulnerability/120436/
Flexera cybersecurity rating report: https://www.rankiteo.com/company/flexera
Schneider Electric cybersecurity rating report: https://www.rankiteo.com/company/schneider-electric
"id": "FLESCH1782484233",
"linkid": "flexera, schneider-electric",
"type": "Vulnerability",
"date": "1/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Industrial automation '
'deployments (PLC programming, '
'SCADA, control rooms)',
'industry': 'Industrial Automation, Energy Management',
'name': 'Schneider Electric',
'type': 'Company'}],
'attack_vector': 'Local',
'data_breach': {'sensitivity_of_data': 'High (industrial control system '
'configurations, credentials)',
'type_of_data_compromised': 'Sensitive data, stored '
'credentials, configuration '
'files'},
'description': 'A high-severity vulnerability (CVE-2024-2658) has been '
'identified in Schneider Electric’s Floating License Manager '
'(FLM), specifically within the FlexNet Publisher component, a '
'third-party licensing library integrated into industrial '
'automation software. The flaw allows a local '
'non-administrative user to escalate privileges to NT '
'AUTHORITY\\SYSTEM, granting full control over affected '
'systems. The issue stems from lmadmin.exe referencing a '
'hardcoded OpenSSL configuration file path, which can be '
'exploited to load a malicious DLL and execute arbitrary code '
'with elevated privileges.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'critical infrastructure vulnerability',
'data_compromised': 'Sensitive data, stored credentials, '
'configuration files',
'downtime': 'Potential disruption of license services and '
'automation software availability',
'operational_impact': 'Full system compromise, lateral movement '
'across industrial networks, disruption of '
'critical automation processes',
'systems_affected': 'Industrial automation software, PLCs, SCADA '
'systems, engineering workstations'},
'lessons_learned': 'Risks in third-party dependencies and hardcoded path '
'vulnerabilities in critical infrastructure software',
'post_incident_analysis': {'corrective_actions': ['Upgrade to patched version '
'of FLM',
'Restrict directory '
'permissions',
'Isolate FLM on dedicated '
'servers',
'Remove FLM if unnecessary'],
'root_causes': 'Hardcoded OpenSSL configuration '
'file path in lmadmin.exe, default '
'Windows NTFS permissions allowing '
'directory recreation, and '
'SeImpersonatePrivilege enabling '
'privilege escalation'},
'recommendations': ['Upgrade to Schneider Electric FLM 3.0.0.0 or later',
'Restrict directory permissions on C:\\cygwin to deny '
'write access for Authenticated Users',
'Isolate FLM on dedicated servers with strict access '
'controls',
'Remove FLM if floating licenses are unnecessary',
'Monitor for exploitation attempts using tools like '
'Kaspersky Industrial CyberSecurity (KICS)'],
'references': [{'source': 'CVE Details'}],
'response': {'containment_measures': ['Upgrade to Schneider Electric FLM '
'3.0.0.0 or later',
'Restrict directory permissions on '
'C:\\cygwin to deny write access for '
'Authenticated Users',
'Isolate FLM on dedicated servers with '
'strict access controls',
'Remove FLM if floating licenses are '
'unnecessary'],
'enhanced_monitoring': 'Kaspersky Industrial CyberSecurity '
'(KICS) flags vulnerable versions and '
'monitors exploitation attempts',
'network_segmentation': 'Isolate FLM on dedicated servers',
'remediation_measures': ['Upgrade to Schneider Electric FLM '
'3.0.0.0 or later']},
'title': 'Critical Privilege Escalation Vulnerability in Schneider Electric '
'Floating License Manager (CVE-2024-2658)',
'type': 'Privilege Escalation',
'vulnerability_exploited': 'CVE-2024-2658 (CWE-427: Uncontrolled Search Path '
'Element)'}