PDA

View Full Version : security flaw: NodeLocked license within remote desktop



Gilles Noyer
02-19-2015, 11:24 AM
Dear FlexNetPublisher user.
I would inform you that there is a security flaw into all version of FNP when using nodelocked license within remote desktop (aka TSE).
This security flaw allows bypassing the remote desktop limitation and allows sharing the license between several stations. This security flaw is a lost of revenue, because end-user may but less licenses and share it between several station in distant sites.

Context.

When the end-user launch a nodelocked license which does not contains the keyword TS_OK the expected result is that this license is not usable within remote desktop.
In normal situation, this is the case: When the user launches the application from a remote desktop session, the user receive an error -103 “Cannot checkout an uncounted license within a Windows Terminal Services guest session.”
But by using this process, it is possible to bypass this limitation by following the simple process
1) On the physical station, one user launch the application. The application successfully launch because it is launched from the console.
2) A distant user can now use remote desktop to use the software within remote desktop. As the software is already launched, the software is correctly displayed on the distant station.
3) The FNP heartbeat do not detect that the state change from console to remote desktop, and the distant user can continue to use the software.

The Flexera point of view

Flexera accepted to open an enhancement request. The number is IOJ-1575959.
As this security flaw impact all ISV using nodelocked license without TS_OK keyword, it seems important that Flexera fix it.
But this enhancement is affected with a low priority, and currently has low chance to be fixed.

What you can do
If you think you are impacted by thissecurity flaw may be you can open a support case to Flexera and ask for fixing the enhancement IOJ-1575959.
The fact that Flexera fix this ‘bug’ will help all the community of FNP users and increase the quality level of FNP.
Do not hesitate to post a comment saying what you will do.

Note

Note: Flexera can suggest you to develop a workaround by yourself, but for ISV having several license models (NodeLocked and or Floating) this is more complex. And if you have a large number of software, this will be very difficult to validate all of them.
Off course the most serious way is that Flexera fix all security flaw.



Have a nice day.
Gilles Noyer.