Full Report
Stack overflow in custom XML-parser in Gemalto’s HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55 leads to remote denial of service
Analysis Summary
# Vulnerability: Stack Overflow in Sentinel LDK XML-Parser
## CVE Details
- **CVE ID:** CVE-2017-12818
- **CVSS Score:** 7.5 (High) - *Note: Based on vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H*
- **CWE:** CWE-121 (Stack-based Buffer Overflow)
## Affected Systems
- **Products:** Gemalto (Thales) HASP SRM, Sentinel HASP, and Sentinel LDK.
- **Versions:** All versions prior to Sentinel LDK RTE (Run-time Environment) version 7.55/7.60.
- **Configurations:** Systems running the Sentinel License Manager service, typically listening on network ports.
## Vulnerability Description
A stack overflow vulnerability exists within the custom XML-parser utilized by the Sentinel LDK Run-time Environment. The flaw is triggered when the parser processes specially crafted XML data. Because the parser does not properly validate the depth or size of the input before processing it on the stack, an attacker can cause the service to crash.
## Exploitation
- **Status:** Unknown (No public PoC listed in the advisory, but the flaw is well-characterized).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Remote Denial of Service)
## Remediation
### Patches
- **Sentinel LDK RTE v7.60:** Users are advised to update to version 7.60 or higher.
- Official updates can be found at the Sentinel Customer Downloads site: hxxps[://]sentinelcustomer[.]gemalto[.]com/sentineldownloads/
### Workarounds
- No specific software workarounds provided; however, standard network hardening (restricting access to the affected port) is recommended if patching is delayed.
## Detection
- **Indicators of Compromise:** Unexpected crashes of the Sentinel License Manager service (`hasplms.exe`).
- **Detection Methods and Tools:**
- Monitor network traffic for suspicious or malformed XML payloads directed at **TCP/UDP Port 1947** (the default port for Sentinel License Manager).
- Monitor for suspicious file executions or service restarts related to the HASP/Sentinel environment.
## References
- **Vendor Advisory:** KLCERT-17-004
- **NVD:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2017-12818
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2017/10/02/klcert-17-004-sentinel-ldk-rte-stack-overflow-in-custom-xml-parser-leads-to-remote-denial-of-service/