Full Disclosure mailing list archives

SEC Consult SA-20210301-0 :: Authentication bypass vulnerability in Genua GenuGate High Resistance Firewall

From: SEC Consult Vulnerability Lab <research () sec-consult com>
Date: Mon, 1 Mar 2021 14:47:34 +0100

SEC Consult Vulnerability Lab Security Advisory < 20210301-0 > 
=======================================================================              title: Authentication bypass 
vulnerability            product: Genua GenuGate High Resistance Firewall
vulnerable version: GenuGate <10.1 p4, <9.6 p7, <9.0/9.0 Z p19      fixed version: GenuGate 10.1 p4 (G1010_004), 9.6 p7 
(G960_007) 9.0 and 9.0 Z p19 (G900_019)         CVE number: CVE-2021-27215             impact: critical           
homepage:
https://www.genua.de/en/it-security-solutions/high-resistance-firewall-genugate 
<https://www.genua.de/en/it-security-solutions/high-resistance-firewall-genugate>              found: 2021-01-28        
         by: Armin Stock (Atos Germany)
                    SEC Consult Vulnerability Lab                       An integrated part of SEC Consult, an Atos 
company                     Europe | Asia | North America                     https://www.sec-consult.com 
<https://www.sec-consult.com>
======================================================================= Vendor description: ------------------- 
"genugate Firewall: Well Protected Against Attacks Your level of IT security is determined largely at the interface 
between the Internet
and the local network. The attacks from the outside and the data   sent from the inside pass through this point. The 
High Resistance Firewall genugate satisfies the highest requirements:   two different firewall systems – an application 
level gateway
and   a packet filter, each on separate hardware – are combined to form a compact solution. genugate is approved for 
classification levels German and NATO RESTRICTED and RESTREINT UE/EU RESTRICTED. genugate is certified according to CC 
EAL 4+" URL:
https://www.genua.de/en/it-security-solutions/high-resistance-firewall-genugate 
<https://www.genua.de/en/it-security-solutions/high-resistance-firewall-genugate> Business recommendation: 
------------------------ The vendor provides a patched version
for the affected products which should be installed immediately. Customers should also adhere to security best 
practices such as network segmentation and limiting access to the admin panel. This is also a requirement for certified 
and approved
environments. Vulnerability overview/description: ----------------------------------- 1) Authentication bypass 
vulnerability (CVE-2021-27215) The Admin Web interface, the Sidechannel Web and Userweb interface can use different 
methods to perform the
authentication of a user. A specific authentication method during login does not check the provided data and returns OK 
for any authentication request. This allows an attacker to login to the admin panel with a user of his choice, e.g the 
root user
with highest privileges or even a non-existing user. An attacker needs to have network access to the admin interface. 
Certified and approved environments mandate that the admin interface is only reachable through a strictly separated 
network.
Nevertheless, it is a highly critical security vulnerability and must be patched immediately. Proof of concept: 
----------------- 1) Authentication bypass vulnerability (CVE-2021-27215) During the authentication requests at the 
login page of the
admin web interface, the Sidechannel Web and Userweb interface, certain HTTP POST parameters are passed to the server. 
By manipulating a specific parameter method, an attacker is able to bypass the authentication easily and login as 
arbitrary user. [
Detailed proof of concept removed ] A proof of concept video is available at https://youtu.be/Wfj3-6UBkzg 
<https://youtu.be/Wfj3-6UBkzg> Vulnerable / tested versions: ----------------------------- The versions 9.6 p0 and 9.6 
p6 of the Genua GenuGate
firewall were tested and found to be vulnerable. The p6 version was the latest version at the time of discovery. The 
supported and released product versions 9.0, 9.0 Z and 10.1 are affected as well. Vendor contact timeline: 
------------------------
2021-01-29 | Contacting vendor through security () genua de <mailto:security () genua de>             Asking for an 
S/MIME certificate or GnuGP key to be able to send              an encrypted report 2021-01-29 | Received GnuGP key 
from vendor and sent
encrypted (PGP) report. 2021-01-29 | Vendor confirmed the issue and is working on a patch. 2021-02-02 | Vendor released 
a patch for the affected products. 2021-02-15 | Informing CERT-Bund and CERT.at about the upcoming advisory release. 
2021-02-17 |
Coordination call with vendor. 2021-03-01 | Coordinated release of security advisory. Solution: --------- The vendor 
provides a patched version for the affected and supported products which should be installed immediately. The patch can 
be downloaded
in genugate GUI or by calling 'getpatches' on the command line interface. Additional information can be viewed at the 
vendor's support page: https://kunde.genua.de/en/overview/genugate.html 
<https://kunde.genua.de/en/overview/genugate.html>
Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ 
<https://sec-consult.com/vulnerability-lab/> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
SEC Consult Vulnerability Lab SEC
Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult 
Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC 
Consult in the field of
network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality 
penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our 
customers obtain
the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC 
Consult? Send
us your application https://sec-consult.com/career/ <https://sec-consult.com/career/> Interested in improving your 
cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/
<https://sec-consult.com/contact/> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: 
research at sec-consult dot com Web: https://www.sec-consult.com <https://www.sec-consult.com> Blog: 
http://blog.sec-consult.com
<http://blog.sec-consult.com> Twitter: https://twitter.com/sec_consult <https://twitter.com/sec_consult> EOF A. Stock / 
@2021

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

SEC Consult SA-20210301-0 :: Authentication bypass vulnerability in Genua GenuGate High Resistance Firewall SEC Consult Vulnerability Lab (Mar 01)
- <Possible follow-ups>
- SEC Consult SA-20210301-0 :: Authentication bypass vulnerability in Genua GenuGate High Resistance Firewall SEC Consult Vulnerability Lab (Mar 01)