Full Report
Analysis of CVE-2024-2658 as found in Schneider Electric's Floating License Manager. Discover how this FlexNet Publisher vulnerability potentially allows attackers to escalate to NT AUTHORITY\SYSTEM privileges and expand their foothold; learn how to mitigate the risk.
Analysis Summary
# Vulnerability: Privilege Escalation in Schneider Electric Floating License Manager
## CVE Details
- **CVE ID:** CVE-2024-2658
- **CVSS Score:** 7.8 (High)
- **CWE:** CWE-427 (Uncontrolled Search Path Element) / CWE-428 (Unquoted Service Path)
## Affected Systems
- **Products:** Schneider Electric Floating License Manager (based on Revenera FlexNet Publisher).
- **Versions:** All versions prior to v2.7.0.0.
- **Configurations:** Systems where the Floating License Manager is installed as a Windows service.
## Vulnerability Description
The vulnerability stems from the way the Floating License Manager handles search paths and service executables. Specifically, the software is susceptible to **DLL Hijacking** and/or **Unquoted Service Path** issues.
- The application attempts to load required resources or executables from directories where it does not have an absolute path defined.
- If a low-privileged user has write access to the application’s directory or a parent folder (due to weak default permissions), they can place a malicious DLL or executable in the search path.
- When the License Manager service starts (which typically runs with `NT AUTHORITY\SYSTEM` privileges), it executes the malicious file instead of the intended one.
## Exploitation
- **Status:** PoC available (detailed in the Kaspersky analysis); no confirmed "in the wild" exploitation reported at the time of the publication.
- **Complexity:** Medium (Requires existing local access to the file system).
- **Attack Vector:** Local (The attacker must be able to place files on the local file system).
## Impact
- **Confidentiality:** High (Full access to system data via SYSTEM privileges).
- **Integrity:** High (Ability to modify system files and configurations).
- **Availability:** High (Ability to stop services or crash the host system).
## Remediation
### Patches
- **Schneider Electric:** Upgrade to **Floating License Manager v2.7.0.0** or later.
- Ensure that the underlying FlexNet Publisher component is updated to the version recommended by the vendor.
### Workarounds
- **Service Security:** Manually wrap the service path in double quotes in the Windows Registry if it is unquoted.
- **File Permissions:** Restrict write permissions to the installation folders of the Floating License Manager to ensure only Administrators can modify the directory contents.
- **Principle of Least Privilege:** Ensure the service runs under a dedicated service account with the minimum necessary permissions rather than `SYSTEM`, if supported.
## Detection
- **Indicators of Compromise:** Presence of unexpected DLL files in the License Manager installation directory (e.g., `fnp_tool.dll` or similar system-named files that are not digitally signed by Schneider Electric or Revenera).
- **Detection Methods:**
- Use EDR/AV tools to monitor for "Service Escalation" behaviors.
- Audit Windows Event Logs for service start failures or unexpected process spawning under `lmgrd.exe`.
- Scan for unquoted service paths via PowerShell: `Get-CimInstance -ClassName Win32_Service | Select-Object Name, PathName | Where-Object {$_.PathName -notlike '"*' -and $_.PathName -like '* *'}`.
## References
- Schneider Electric Advisory: [https://www.se.com/ww/en/download/document/SEVD-2024-100-04/](https://www.se.com/ww/en/download/document/SEVD-2024-100-04/)
- Kaspersky Securelist Analysis: [https://securelist.com/tr/schneider-electric-cve-2024-2658-vulnerability/120436/](https://securelist.com/tr/schneider-electric-cve-2024-2658-vulnerability/120436/)
- NVD Listing: [https://nvd.nist.gov/vuln/detail/CVE-2024-2658](https://nvd.nist.gov/vuln/detail/CVE-2024-2658)