CVE-2024-2658 Overview
A misconfiguration vulnerability exists in lmadmin.exe of FlexNet Publisher versions prior to 2024 R1 (11.19.6.0). The flaw allows the OpenSSL configuration file to load from a non-existent directory, enabling an unauthorized, locally authenticated user with low privileges to potentially create the directory and load a specially crafted openssl.conf file. This can lead to the execution of a malicious DLL (Dynamic-Link Library) with elevated privileges, resulting in local privilege escalation.
Critical Impact
Local privilege escalation allowing low-privileged users to execute arbitrary code with elevated privileges through DLL injection via a crafted OpenSSL configuration file.
Affected Products
- FlexNet Publisher versions prior to 2024 R1 (11.19.6.0)
- lmadmin.exe component in vulnerable FlexNet Publisher installations
- Systems running FlexNet Publisher License Server Manager
Discovery Timeline
- 2025-01-30 - CVE CVE-2024-2658 published to NVD
- 2025-01-30 - Last updated in NVD database
Technical Details for CVE-2024-2658
Vulnerability Analysis
This vulnerability is classified as CWE-427 (Uncontrolled Search Path Element), a class of weaknesses where an application searches for critical resources using an externally-supplied search path that can point to resources outside the intended directory. In this case, the lmadmin.exe process attempts to load an OpenSSL configuration file from a directory that does not exist on the system by default.
When an application with elevated privileges references a configuration file path that doesn't exist, a local attacker can create the missing directory structure and place a malicious configuration file in that location. The OpenSSL configuration file format supports loading dynamic engines, which allows an attacker to specify a malicious DLL to be loaded when the configuration is parsed.
Root Cause
The root cause of this vulnerability lies in the hardcoded or misconfigured path reference within lmadmin.exe for the OpenSSL configuration file. The application expects the configuration file at a specific filesystem location that may not exist on a clean installation. This creates a race condition where an attacker with local access can preemptively create the directory structure and populate it with a malicious openssl.conf file before the legitimate application accesses it.
The OpenSSL library, when loading its configuration, follows the path specified in the OPENSSL_CONF environment variable or a default path. If the FlexNet Publisher service runs with elevated privileges and loads a configuration from a world-writable or user-controllable location, any DLL specified in that configuration will execute with those same elevated privileges.
Attack Vector
The attack requires local access to the target system with low-privilege user credentials. The attacker must:
- Identify the non-existent directory path that lmadmin.exe references for OpenSSL configuration
- Create the missing directory structure with appropriate permissions
- Craft a malicious openssl.conf file that references a DLL under the attacker's control
- Wait for or trigger the FlexNet Publisher service to restart or reload its configuration
- Upon loading, the malicious DLL executes with the elevated privileges of the lmadmin.exe process
The exploitation mechanism leverages the OpenSSL engine loading functionality. A crafted configuration file can specify a dynamic engine that points to an attacker-controlled DLL. When OpenSSL parses this configuration, it loads and executes the specified DLL, granting the attacker code execution in the context of the privileged process.
Detection Methods for CVE-2024-2658
Indicators of Compromise
- Unexpected directories created in paths typically reserved for OpenSSL configuration files
- Presence of openssl.conf or openssl.cnf files in non-standard locations
- Unusual DLL files in user-writable directories referenced by configuration files
- Process creation events showing lmadmin.exe spawning unexpected child processes or loading untrusted DLLs
Detection Strategies
- Monitor filesystem activity for directory creation in paths associated with OpenSSL configuration (e.g., paths containing OpenSSL or ssl)
- Implement DLL load monitoring for the lmadmin.exe process to detect loading of DLLs from non-standard locations
- Use application whitelisting to prevent execution of unsigned or untrusted DLLs by FlexNet Publisher components
- Deploy endpoint detection rules to alert on modification of OpenSSL configuration files in sensitive directories
Monitoring Recommendations
- Enable verbose logging for FlexNet Publisher License Server Manager to capture configuration load events
- Implement file integrity monitoring on directories where OpenSSL configuration files should reside
- Configure Windows Event logging to capture process creation and DLL load events for lmadmin.exe
- Use SentinelOne's behavioral AI to detect privilege escalation patterns associated with DLL injection attacks
How to Mitigate CVE-2024-2658
Immediate Actions Required
- Upgrade FlexNet Publisher to version 2024 R1 (11.19.6.0) or later immediately
- Audit existing systems for unauthorized directories or configuration files in OpenSSL-related paths
- Restrict filesystem permissions to prevent low-privileged users from creating directories in system paths
- Implement application control policies to prevent unauthorized DLL loading
Patch Information
Flexera has released FlexNet Publisher version 2024 R1 (11.19.6.0) which addresses this vulnerability. Organizations using FlexNet Publisher should upgrade to this version or later to remediate the issue. For detailed patching instructions, refer to the Flexera CVE-2024-2658 Advisory. Additional technical details are available from the Zero Day Initiative ZDI-24-359 Advisory.
Workarounds
- Pre-create the expected OpenSSL configuration directory with restrictive permissions (accessible only by SYSTEM or administrators)
- Use Windows NTFS permissions to lock down potential configuration file paths against modification by standard users
- Consider running FlexNet Publisher services with minimal required privileges where possible
- Implement endpoint protection solutions like SentinelOne to detect and block DLL injection attempts in real-time
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
