News broke today that a variety of serious vulnerabilities have been identified in the Hardware Against Software Piracy (HASP) license management system of popular license management software used in corporate and ICS environments to activate software on PCs and servers. If these vulnerabilities are left unpatched, the popular license management USB-token can be used to open a hidden remote access channel for cyberattackers. Christopher Littlejohns, EMEA Manager at Synopsys commented below.
Christopher Littlejohns, EMEA Manager at Synopsys:
“In this article Kaspersky clearly attributes the root cause of many such ICS related software vulnerabilities to ineffective secure software development practices. Whilst the industry is gradually raising their game, in part due to the activity of hackers, security researchers finding issues, and customer demands, many are still behind the curve on many aspects. In this case there were a number of contributing factors including inappropriate configuration, open ports, lack of authentication, the use of vulnerable components, and an apparent lack of security focused testing. Interestingly Kaspersky used a tried and tested hacking technique, namely ‘fuzzing’ to uncover the vulnerability and then developed it with other common techniques to cause multiple opportunities for the execution of code on the machine. These machines would be used to monitor and control ICS devices, so the potential impact is enormous. This is exactly the sort of penetration that Nation Intelligence services, Criminals and Terrorists crave and keep to themselves for future exploitation. It is all the more worrying that the installation of software that is supposed to prevent the operation of proprietary software is the very thing that causes a systemic vulnerability. Users will generally have high trust in such software, particularly when it comes from a key supplier. All in all this demonstrates that Software Supply Chain Management is a crucial aspect of modern business operations, and over trusting software from suppliers can be a dangerous mistake. Organisations that are rely on their IT systems being secure need to verify their software is secure as well as verify that their suppliers have a secure development lifecycle. If you don’t then you have abdicated that responsibility and may suffer severe consequences.”