SUMMARY
Foundry is aware the RLM Web Server component is potentially susceptible to a remote code execution vulnerability (RCE) on the host server depending on how the RLM service is configured.
Furthermore, the RLM Web Server component is potentially susceptible to additional authentication and authorization vulnerabilities.
At the time of writing, this is known to affect RLM 12, but may apply to more versions of this software.
More information on the RCE vulnerability can be found in CVE-2018-15573, where it pertains to Windows servers, but Foundry engineers have determined that similar RCE vulnerabilities may apply to Linux and macOS servers as well.
More information on authentication and authorization vulnerabilities can be reviewed on SecLists.
NOTE: This article assumes some knowledge of networking and license administration and it is targeted toward IT administrators.
MORE INFORMATION
This advisory applies to customers using RLM floating license servers, which ship with an embedded RLM Web Server component.
We are recommending that customers disable the embedded RLM Web Server feature of their RLM servers.
The RLM Web Server is an auxiliary tool that can be used to configure an RLM floating license server. It is an alternative to using either the Foundry Licensing Utility (FLU) or rlmutil.
Instead of using the RLM Web Server component, customers should use either the Foundry Licensing Utility (FLU) or rlmutils for RLM server configuration changes such as adding or updating licences. Consult Q100027: How to install a floating/server license and Q100659: What is the rlmutil and how can I use it? for more information.
Steps to disable this RLM Web Server component are outlined in the "Mitigation: Disabling the RLM Web Server" section below.
Customers wishing to continue using the RLM web server should follow the steps in section "Mitigation: Prevent RCE by disabling remote license file updating" below, although Foundry recommends disabling the web server component entirely.
Customers are encouraged to continue applying best practices and to ring-fence internal networks from the wider internet.
Foundry is following active steps to patch our Foundry Licensing Utility (FLU) so that it applies the mitigations from this Knowledge Base article to future software releases.
Mitigation: Disabling the RLM Web Server
IMPORTANT: Reinstalling an RLM server, including reinstalling using the FLU, may change settings and may re-enable the RLM Web Server component. Care should be taken after RLM server installation to ensure the RLM Web Server remains suitably deactivated. |
Disable the RLM Web Interface: Linux
- Stop the RLM Server
/etc/init.d/foundryrlmserver stop
- Edit /etc/init.d/foundryrlmserver, replace the line:
${BIN_DIR}/rlm.foundry -ws 4102 -c ${LIC_FILES} -dlog ${LOG_DIR}/foundry.log & >> ${LOG_DIR}/boot.log 2>&1
With
${BIN_DIR}/rlm.foundry -nows -c ${LIC_FILES} -dlog ${LOG_DIR}/foundry.log & >> ${LOG_DIR}/boot.log 2>&1
- Restart the RLM Server
Disable the RLM Web Interface: Windows
- Open the ‘Services’ application from the Start Menu
- Find the service “Foundry License Server”, right click on it and select “Stop” from the pop up menu:
- Open the “Registry Editor” application from the Start Menu
-
Enter the following Path in the text field at the top, and press the Enter key:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Foundry License Server
- Double click on “Image Path”
-
Use the “Edit String” dialog to replace the part of the line which says:
“-ws” “4102”
With:
“-nows”
Assuming you are using Foundry Licensing Tools 8.0 at the default install location, the full line should now read:
"C:\Program Files\The Foundry\\LicensingTools8.0\bin\RLM\rlm.foundry.exe" "-c" "C:\ProgramData\The Foundry\RLM" "-nows" "-dlog"
"C:\ProgramData\The Foundry\RLM\log\\foundry.log" -service - Restart the licensing server through the Services application from step 1, by right clicking on “Foundry License Server” and selecting “Start” from the submenu:
- Confirm the RLM web interface is no longer accessible by opening http://127.0.0.1:4102/ in your web browser.
Disable the RLM Web Interface: macOS
- Stop the RLM server
- Navigate to
/Library/LaunchDaemons/
and edit the fileuk.co.thefoundry.rlm.plist
in a text editor and update the following lines:
<string>/Applications/TheFoundry/LicensingTools8.0/bin/RLM/rlm.foundry</string>
<string>-ws</string>
<string>4102</string>
<string>-c</string>
With
<string>/Applications/TheFoundry/LicensingTools8.0/bin/RLM/rlm.foundry</string>
<string>-nows</string>
<string>-c</string>
- Launch a terminal and reload the RLM daemon via these commands:
sudo launchctl unload /Library/LaunchDaemons/uk.co.thefoundry.rlm.plist
sudo launchctl load /Library/LaunchDaemons/uk.co.thefoundry.rlm.plist
4. Start the server
5. Test that this has been disabled by navigating to HOSTNAME:4102
in your browser's URL.
Mitigation: Prevent RCE by disabling remote license file updating
IMPORTANT: Reinstalling an RLM server, including reinstalling using the FLU, may change settings and may re-enable the RLM Web Server component. Care should be taken after RLM server installation to ensure the RLM Web Server remains suitably deactivated. |
Preventing the RCE vulnerability requires changing the RLM Web Server to disallow remote updating of the installed license files. Note that you can still securely update your license files by using the Foundry Licensing Utility (FLU).
- Click the EDIT rlm Options button on the status page of the Web UI
-
In the RLM Options Box, enter:
EXCLUDE edit_rlm_options internet *
-
Click Update Options
- Confirm that the Edit RLM Options button is no longer present on the status page:
- Confirm that permission is denied on the edit license files page:
All other features of the RLM Web interface should still be accessible
Linux Users
- Run the following command:
sudo bash -c 'echo "EXCLUDE edit_rlm_options internet *" >> /opt/FoundryLicensingUtility/bin/rlm.opt'
- Restart the RLM Server
Please bear in mind that the mitigation above protects you from the Remote Code Execution vulnerability only.
Please follow the steps from section "Mitigation: Enable Password Authentication" to enable authentication.
The RLM Web Server also has additional vulnerabilities related to unencrypted and unauthenticated access to potentially sensitive data, and so additional mitigations should be considered to protect access to the RLM Web Server.
Mitigation: Enable Password Authentication
IMPORTANT: Reinstalling an RLM server, including reinstalling using the FLU, may change settings and may re-enable the RLM Web Server component. Care should be taken after RLM server installation to ensure the RLM Web Server remains suitably deactivated. |
Quick Mitigation (3): Enable Password Authentication: Linux
- Run the following command:
sudo bash -c 'echo "admin::all" >> /opt/FoundryLicensingUtility/bin/rlm.pw'
- Restart the RLM Server
- Login in with username ‘admin’, leave password field blank.
- Select “Change Password” and change the password to a strong password.
Quick Mitigation (3): Enable Password Authentication: Windows
- Find Command Prompt in the start menu and right click to “Run as administrator”:
-
Run the following command:
echo admin::all > "C:\Program Files\The Foundry\LicensingTools8.0\bin\RLM\rlm.pw"
- Open the “Services” application in the start menu, find “Foundry License Server” and right click it and select restart:
- Login to the RLM web user interface with username ‘admin’, leave password field blank.
- Select “Change Password” and change the password to a strong password.
We're sorry to hear that
Please tell us why