CVE-2024-2658: 
FlexNet Publisher vulnerability analysis and mitigation

A misconfiguration vulnerability has been identified in FlexNet Publisher versions prior to 2024 R1 (11.19.6.0), specifically in the lmadmin.exe component. The vulnerability relates to the OpenSSL configuration file loading from a non-existent directory, which could potentially lead to privilege escalation (NVD, ZDI).

The vulnerability is tracked as CVE-2024-2658 and has been assigned a CVSS v4.0 base score of 8.5 (HIGH) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The specific flaw exists within the configuration of OpenSSL, where the process loads an OpenSSL configuration file from an unsecured location. The vulnerability has been classified under CWE-427 (Uncontrolled Search Path Element) (NVD, ZDI).

If successfully exploited, this vulnerability allows an unauthorized, locally authenticated user with low privileges to potentially execute arbitrary code with elevated privileges in the context of the service account. This can lead to complete system compromise at the privilege level of the service (ZDI).

Flexera Software has released version 2024 R1 (11.19.6.0) to address this vulnerability. Users are advised to upgrade to this version to mitigate the risk (ZDI).