Thales Sentinel LDK Run-Time Environment

Act Now9.6ICS-CERT ICSA-21-159-06Jun 8, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Thales Sentinel LDK Run-Time Environment versions 7.6 and earlier may leave TCP port 1947 open after uninstallation. This port allows the Sentinel License Manager to remain accessible, potentially permitting an attacker to connect and interact with licensing services or underlying system components.

What this means

What could happen

An attacker with network access to port 1947 could connect to a licensing service that should have been decommissioned, potentially gaining unauthorized access to systems that depend on Sentinel LDK for license enforcement. This could affect any industrial application or control system that uses Sentinel LDK for copy protection.

Who's at risk

This vulnerability affects any industrial control system, SCADA device, or engineering workstation that uses Thales Sentinel LDK for license management. Specific affected products include Halliburton GOHFER and other licensed software that relies on Sentinel LDK for copy protection. Water authorities and utilities with oilfield equipment (such as well monitoring or drilling supervision software) are at risk if they have uninstalled these products incompletely.

How it could be exploited

An attacker discovers that port 1947 is open on a device where Sentinel LDK was uninstalled. The attacker connects to this port and interacts with the Sentinel License Manager service, which may still be running or improperly decommissioned. Depending on the service state, the attacker could query licensing information, bypass license checks, or potentially execute commands on the affected system.

Prerequisites

Network access to TCP port 1947 on the affected device
Sentinel LDK Run-Time Environment version 7.6 or earlier previously installed and uninstalled without the purge option selected
The Sentinel License Manager service still listening on port 1947

remotely exploitableno authentication requiredlow complexityport left open after incomplete uninstallationaffects license enforcement and copy protectionno patch available for versions 7.6 and earlier

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

Sentinel LDK Run-Time Environment:≤ 7.68.15

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDIf uninstalling an affected version, select the purge option to remove the Sentinel License Manager and close port 1947

WORKAROUNDVerify that TCP port 1947 is closed on systems where Sentinel LDK has been uninstalled

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Sentinel LDK Run-Time Environment to version 8.15 or later

Long-term hardening

0/2

HARDENINGImplement network-based detection (IDS/IPS) rules to monitor and alert on connections to TCP port 1947

HARDENINGIsolate control system networks using Sentinel LDK-dependent products behind firewalls and from the business network

CVEs (1)

CVE-2021-32928

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d010a0b3-ff3e-4ea8-b31b-8a2ef87c43d9