OTPulse
FeedAboutContact

Schneider Electric Floating License Manager Vulnerability

Low RiskICS-CERT ICSA-14-058-01Nov 30, 2014
Summary

Schneider Electric Floating License Manager versions 1.0.0 through 1.4.0 contain a vulnerability (CWE-428) in license verification logic that could allow an attacker with network access to modify or bypass license enforcement. No security update is planned by the vendor; these versions are no longer supported.

What this means
What could happen
An attacker with network access to the Floating License Manager could modify or disable license verification, potentially allowing unauthorized use of Schneider Electric software tools or affecting the ability to manage licensing across engineering workstations and control systems.
Who's at risk
Energy sector operators, particularly those using Schneider Electric engineering software tools (EcoStruxure, SoMachine, engineering workstations) and relying on Floating License Manager versions 1.0.0 through 1.4.0 to enforce software licensing across their engineering and automation infrastructure.
How it could be exploited
An attacker on the network containing the Floating License Manager could send crafted requests to the license server to bypass authentication or modify license data. This could be done without direct credentials if the service is accessible from an attacker's position on the network.
Prerequisites
  • Network access to the Floating License Manager service
  • No credentials required if the service is exposed to untrusted network segments
  • Knowledge of the license manager protocol or service port
No patch availableEnd-of-life productAffects software licensing controlRemotely exploitable if accessible on the network
Exploitability
Low exploit probability (EPSS 0.7%)
Affected products (1)
ProductAffected VersionsFix Status
Floating License Manager: >=1.0.0|<=1.4.0≥ 1.0.0|≤ 1.4.0No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGIsolate the Floating License Manager to a protected engineering network segment; restrict network access using firewall rules to only authorized engineering workstations and software tools that require license verification
HARDENINGImplement network segmentation to ensure the Floating License Manager is not reachable from external networks or untrusted internal segments (e.g., IT network, guest network, DMZ)
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic to and from the Floating License Manager for unauthorized access attempts
Long-term hardening
0/1
WORKAROUNDEvaluate migration to a supported Schneider Electric licensing solution or alternative licensing mechanism, as no fix is planned for versions 1.0.0 through 1.4.0
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/5e5334e4-7005-4641-a181-19a1e1b49751