Discovered by security consultant, Adrian Pruteanu, the issue comes about by running on the non-standard port 5054 where by default RLM's web server does not require authentication. Attackers can specify an arbitrary license file on the server to read and modify which could result in information leakage or remote code execution via upload of malware.
Pruteanu said: "During a recent penetration engagement, I came across a particularly interesting web application called RLM, running on the non-standard port 5054. This naturally caught my eye. After a bit of poking around, I was able to identify a critical vulnerability which allowed me to execute code on the server, eventually leading to full domain compromise.
"Regrettably, despite my best efforts, the vendor has refused to issue patches as they do not believe these findings to be vulnerabilities," he continued.
In its response to Trustwave, Reprise wrote: "We tell end users not to run the RLM server - which implements the web server - in privileged mode. There is no reason it needs to run with elevated privileges. The license and options file editors in the web interface are no more dangerous than Notepad or Wordpad.”
The vulnerability was flagged to Reprise on May 16 2018, with the vendor discontinuing communication on May 29.
"Security holes are rarely made up of isolated vulnerabilities," said Eerke Boiten, professor of cybersecurity, De Montfort University, Leicester. "In this case it appears to be an administrative web interface that doesn’t authenticate properly, combined with a server running with too high privileges, and one or more unnamed vulnerabilities that allow this to be exploited to the level of full code execution.
"Responsible behavior would be to fix each element of this, not to just change the user manual to ensure that anyone who has a recent copy of it will not make a dangerous mistake."