Critical Auth. Bypass Flaw – Firewall Vendor Patches!

Critical Auth. Bypass Flaw – Firewall Vendor Patches!

Cyber-security firm Genua fixed a critical flaw in its GenuGate High Resistance Firewall, which allowed attackers to log in as root users.

Germany-based cyber-security company Genua has fast-tracked a fix for a critical flaw in 1 of its firewall products. If exploited, the vulnerability could allow local attackers to bypass authentication measures & log in to internal company networks with the highest level of privileges.

Genua says it offers more than 20 security solutions for encrypting data communication via the internet, remotely maintaining systems, securely accessing remote data and more – used by anything from critical infrastructure companies to German Federal agencies.

HTTP POST

Affected by the critical flaws is the GenuGate High Resistance Firewall, which Genua markets as a 2-tier firewall that includes an application-level gateway and a packet filter for blocking malicious data.

“An unauthenticated attacker is able to successfully login as arbitrary user in the admin web interface, the side channel interface & user web interface, even as root with highest privileges, by manipulating certain HTTP POST parameters during login,” according to security & application consultation company SEC Consult on Monday.

High Resistance Firewall

Genua says that the GenuGate High Resistance Firewall blocks internal networks against unauthorised access & structures an intranet to establish various domains with different protection measures.

According to Genua, GenuGate is classified as “NATO Restricted.” NATO is a security classification for restricted information from NATO. It requires that certain products contain safeguards & protection from public release & disclosure. According to Genua:

“The High Resistance Firewall Genugate satisfies the highest requirements: 2 different firewall systems – an application-level gateway &  a packet filter, each on separate hardware – are combined to form a compact solution. Genugate is approved for classification levels German & NATO RESTRICTED & RESTREINT UE/EU RESTRICTED. genugate is certified according to CC EAL 4+”

Patched Version

The vulnerable versions of the firewall include GenuGate versions below 10.1 p4; below 9.6 p7 & versions 9.0 & below Z p19. The flaw has been fixed in GenuGate versions 10.1 p4 (G1010_004); 9.6 p7 (G960_007); 9.0 and 9.0 Z p19 (G900_019).

“The vendor provides a patched version for the affected products which should be installed immediately,” according to SEC Consult. “Customers should also adhere to security best practices such as network segmentation & limiting access to the admin panel. This is also a requirement for certified & approved environments.”

Firewall Cyber-Security Flaw

The critical authentication bypass vulnerability (CVE-2021-27215) stems from the GenuGate’s various admin authentication methods. The admin web interface, sidechannel web ^ userweb interface, use different methods to authenticate users.

During the login process, certain HTTP POST parameters are passed to the server, which does not check the provided data, & allows for any authentication request.

By manipulating a specific parameter method, an attacker is able would-be able bypass the authentication easily & login as arbitrary user. That could include logging in as a root user with the highest privileges (or even a non-existing user), said SEC Consult researchers.

SEC Consult

Researchers with SEC Consult published a high-level proof-of-concept (PoC) exploit, including a video. However, researchers abstained from publishing specific PoC details due to the critical nature of the bug.

There is 1 saving grace. In order to exploit the vulnerability, an attacker would 1st need to have network access to the admin interface.

“Certified & approved environments mandate that the admin interface is only reachable through a strictly separated network,” according to SEC Consult. “Nevertheless, it is a highly critical security vulnerability & must be patched immediately.”

Vulnerabilities & Remediation

Researchers contacted Genua on Jan. 29 regarding the vulnerability. That same day, Genua confirmed the issue & began working on a patch – & released a patch for the affected product on Feb. 2. The public disclosure of the vulnerability (in coordination with CERT-Bund & CERT) was published, Mon. SEC Consult said, the patch can be downloaded in GenuGate GUI or by calling “getpatches” on the command line interface.

Firewall vulnerabilities provide a dangerous route for attackers to infiltrate sensitive company networks.

Zyxel Communications

In Jan., security experts warned hackers are ramping up attempts to exploit a high-severity vulnerability that may still reside in over 100,000 Zyxel Communications products, which are generally utilised by small businesses as firewalls & VPN gateways.

In April, attackers started targeting the Sophos XG Firewall (both physical & virtual versions) using a zero-day exploit, with the ultimate goal of dropping the Asnarok malware on vulnerable appliances.

https://www.cybernewsgroup.co.uk/virtual-conference-march-2021/

 

SHARE ARTICLE