Schneider Electric Floating License Manager

Act Now9.8ICS-CERT ICSA-19-192-07Jul 11, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Floating License Manager versions 2.3.0.0 and earlier contain input validation (CWE-20) and buffer overflow (CWE-119) vulnerabilities that allow an attacker to deny the acquisition of valid licenses for legal use of the product. An attacker with network access to the license service can trigger these flaws without authentication, preventing legitimate users from obtaining license tokens needed to run Schneider Electric software on engineering workstations and control systems.

What this means

What could happen

An attacker could prevent legitimate users from acquiring valid licenses for Floating License Manager, effectively blocking software access for engineering workstations and control systems that depend on license validation. This could halt configuration, monitoring, or engineering activities in a facility.

Who's at risk

Energy sector organizations using Schneider Electric Floating License Manager on engineering workstations, configuration systems, or control system environments that require license validation for PLC programming, HMI development, or SCADA software access.

How it could be exploited

An attacker with network access to the Floating License Manager service (typically port 27000) can send malformed input to trigger input validation or buffer overflow flaws, causing the license service to deny valid license requests. The service does not require authentication to process license queries.

Prerequisites

Network access to Floating License Manager service port (default 27000)
No authentication required to trigger vulnerability

remotely exploitableno authentication requiredlow complexityaffects engineering/operational continuity

Exploitability

Moderate exploit probability (EPSS 4.4%)

Affected products (1)

ProductAffected VersionsFix Status

Floating License Manager:≤ 2.3.0.02.3.1.0

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to Floating License Manager service port to only authorized engineering workstations and subnets using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Floating License Manager to version 2.3.1.0 or later

Long-term hardening

0/1

HARDENINGSegment the license manager and Schneider Electric engineering tools onto a separate network isolated from business network and Internet access

CVEs (4)

CVE-2018-20031 CVE-2018-20032 CVE-2018-20033 CVE-2018-20034

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6d495d2c-4b00-4a7c-abae-5f138c737527