Threat Intelligence

01:01 PM
Dark Reading
Dark Reading
Products and Releases

Kaspersky Lab Discovers Multiple Vulnerabilities in Widely Spread Corporate License Management Software

Woburn, MA – January 22, 2018 – According to Kaspersky Lab ICS CERT researchers, a variety of serious vulnerabilities have been identified in the Hardware Against Software Piracy (HASP) license management system of popular license management software used in corporate and ICS environments to activate software on PCs and servers. If these vulnerabilities are left unpatched, the popular license management USB-token can be used to open a hidden remote access channel for cyberattackers.

Kaspersky Lab ICS CERT researchers have identified 14 vulnerabilities in a component of the software solution, including multiple denial-of-service (DoS) vulnerabilities and several RCEs (remote execution of arbitrary code) which, for instance, are automatically exploited not with user rights, but with the most privileged system rights. This provides attackers with an opportunity to execute any arbitrary codes. All identified vulnerabilities can be potentially very dangerous and result in major losses for businesses.

The USB-tokens in question are widely used in different organizations to serve the purpose of convenient software license activation. In normal use case scenarios, a company’s system administrator would need to approach the computer with the software that needs to be activated and insert the token. It will then confirm that the software of interest is legitimate (not pirated) and would activate it.

Once the token is attached to a PC or a server for the first time, Windows OS downloads the software driver from the vendor’s servers in order to make the token hardware work properly with the computer hardware. In other cases, the driver comes installed with third party software which uses the aforementioned system for license protection. Our experts have found that, upon installation, this software adds port 1947 of the computer to the list of exclusions of the Windows Firewall with no proper user notification, which makes it vulnerable to a remote attack. An attacker would only need to scan the targeted network for open port 1947 in order to identify any remotely available computers.

More importantly, the port remains open after the token has been detached, which is why even in a patched and protected corporate environment, an attacker would only need to install software using the HASP solution, or attach the token to a PC once (even a locked one) in order to make it available for remote attacks.

Although the number of systems affected by the vulnerability is uncertain, due to the popularity of the software, it may amount to hundreds of thousands of users worldwide. All of the research has been reported to the vendor. All discovered vulnerabilities received the following CVE numbers:

“Given how popular this license management system is, the possible scale of the consequences of these vulnerabilities going unpatched is very large,” said Vladimir Dashchenko, head of vulnerability research group, Kaspersky Lab ICS CERT. “Since these tokens are not only used in regular corporate environments, but also in critical facilities with strict remote access rules, the vulnerabilities we discovered could be putting thousands of critical networks in danger.”

Upon discovery, Kaspersky Lab reported these vulnerabilities to the affected software vendors and the companies subsequently released security patches.

Kaspersky Lab ICS CERT strongly recommends that corporate and ICS organizations using the affected products do the following:


  • Install the latest (secure) version of the driver as soon as possible, or contact the vendor for instructions on updating the driver.
  • As long as it does not interfere with business processes, close port 1947, at least on the external firewall (on the network perimeter).


You can read more about these vulnerabilities in the blog post on the Kaspersky Lab ICS CERT website here.

About Kaspersky Lab

Kaspersky Lab is a global cybersecurity company celebrating its 20 year anniversary in 2017. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at


For the latest in-depth information on security threat issues and trends, please visit:

Securelist | Information about Viruses, Hackers and Spam
Follow @Securelist on Twitter

Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter


About Kaspersky Lab ICS CERT

Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) is a global project launched by Kaspersky Lab in 2016 to coordinate the efforts of automation system vendors, industrial facility owners and operators, and IT security researchers to protect industrial enterprises from cyberattacks. Kaspersky Lab ICS CERT devotes its efforts primarily to identifying potential and existing threats that target industrial automation systems and the Industrial Internet of Things. During its first year of operation, the team identified over 110 critical vulnerabilities in products by major global ICS vendors. Kaspersky Lab ICS CERT is an active member and partner of leading international organizations that develop recommendations on protecting industrial enterprises from cyberthreats.




Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
The Case for Integrating Physical Security & Cybersecurity
Paul Kurtz, CEO & Cofounder, TruSTAR Technology,  3/20/2018
A Look at Cybercrime's Banal Nature
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/20/2018
City of Atlanta Hit with Ransomware Attack
Dark Reading Staff 3/23/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.