Gemalto has fixed vulnerabilities found by Positive Technologies expert Alexander Morozov in Sentinel LDK, a copy protection and licensing solution for software developers.
The vulnerabilities were found in the Sentinel EMS server, a part of the Sentinel LDK system that enables developers to manage licensing and distribution of their software.
"Leveraging these security flaws, an attacker could have taken over legitimate user accounts on the Sentinel EMS server. Since the server provisions licenses for protected software, this vulnerability opened the door to infringing and unlawful use," explained Alexander Morozov, penetration tester at Positive Technologies.
In some cases, a range of other attacks were possible, including remotely hijacking a legitimate user account on the Sentinel EMS server, redirecting a user's browser to a malicious website by means of XSS or Content Spoofing, or performing an XXE attack to read arbitrary files on the server (for example, to obtain passwords for other services).
To fix these vulnerabilities, Gemalto has released security updates 20170626_1 and 20170819.
SafeNet, the developer of Sentinel LDK, has been repeatedly recognized by Gartner as a leader in the Magic Quadrant for User Authentication. In 2014, SafeNet became a part of Gemalto.
In the last two years, Positive Technologies specialists have found a number of vulnerabilities in security software. While performing an ATM security audit in 2017, Georgy Zaytsev came across a vulnerability in Kaspersky Embedded Systems Security. That same year, Kirill Shipulin found a way to suspend intrusion detection by Suricata IDS without any alert. In 2016, Intel Security recognized Maxim Kozhevnikov, who reported a critical vulnerability in McAfee Solidcore.