exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Genua GenuGate High Resistance Firewall Authentication Bypass

Genua GenuGate High Resistance Firewall Authentication Bypass
Posted Mar 1, 2021
Authored by Armin Stock | Site sec-consult.com

Genua GenuGate High Resistance Firewall versions prior to 10.1 p4, 9.6 p7, and 9.0 Z p19 suffer from an authentication bypass vulnerability.

tags | advisory, bypass
advisories | CVE-2021-27215
SHA-256 | 641799a20f14a534fe3b512213475065884772c8836ce0753bf88afc37aa5ea8

Genua GenuGate High Resistance Firewall Authentication Bypass

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20210301-0 >
=======================================================================
title: Authentication bypass vulnerability
product: Genua GenuGate High Resistance Firewall
vulnerable version: GenuGate <10.1 p4, <9.6 p7, <9.0/9.0 Z p19
fixed version: GenuGate 10.1 p4 (G1010_004), 9.6 p7 (G960_007)
9.0 and 9.0 Z p19 (G900_019)
CVE number: CVE-2021-27215
impact: critical
homepage: https://www.genua.de/en/it-security-solutions/high-resistance-firewall-genugate
found: 2021-01-28
by: Armin Stock (Atos Germany)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult, an Atos company
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"genugate Firewall: Well Protected Against Attacks

Your level of IT security is determined largely at the interface between the
Internet and the local network. The attacks from the outside and the data
sent from the inside pass through this point.

The High Resistance Firewall genugate satisfies the highest requirements:
two different firewall systems – an application level gateway and
a packet filter, each on separate hardware – are combined to form a compact
solution. genugate is approved for classification levels German and NATO
RESTRICTED and RESTREINT UE/EU RESTRICTED. genugate is certified according
to CC EAL 4+"

URL: https://www.genua.de/en/it-security-solutions/high-resistance-firewall-genugate


Business recommendation:
------------------------
The vendor provides a patched version for the affected products which should
be installed immediately.

Customers should also adhere to security best practices such as network
segmentation and limiting access to the admin panel. This is also a requirement
for certified and approved environments.


Vulnerability overview/description:
-----------------------------------
1) Authentication bypass vulnerability (CVE-2021-27215)
The Admin Web interface, the Sidechannel Web and Userweb interface can use different
methods to perform the authentication of a user. A specific authentication method during
login does not check the provided data and returns OK for any authentication request. This
allows an attacker to login to the admin panel with a user of his choice, e.g the root
user with highest privileges or even a non-existing user.

An attacker needs to have network access to the admin interface. Certified and approved
environments mandate that the admin interface is only reachable through a strictly
separated network. Nevertheless, it is a highly critical security vulnerability and
must be patched immediately.


Proof of concept:
-----------------
1) Authentication bypass vulnerability (CVE-2021-27215)
During the authentication requests at the login page of the admin web interface, the
Sidechannel Web and Userweb interface, certain HTTP POST parameters are passed to the
server. By manipulating a specific parameter method, an attacker is able to bypass
the authentication easily and login as arbitrary user.

[ Detailed proof of concept removed ]

A proof of concept video is available at https://youtu.be/Wfj3-6UBkzg


Vulnerable / tested versions:
-----------------------------
The versions 9.6 p0 and 9.6 p6 of the Genua GenuGate firewall were tested and found
to be vulnerable. The p6 version was the latest version at the time of discovery.

The supported and released product versions 9.0, 9.0 Z and 10.1 are affected as well.


Vendor contact timeline:
------------------------
2021-01-29 | Contacting vendor through security@genua.de
Asking for an S/MIME certificate or GnuGP key to be able to send
an encrypted report
2021-01-29 | Received GnuGP key from vendor and sent encrypted (PGP) report.
2021-01-29 | Vendor confirmed the issue and is working on a patch.
2021-02-02 | Vendor released a patch for the affected products.
2021-02-15 | Informing CERT-Bund and CERT.at about the upcoming advisory release.
2021-02-17 | Coordination call with vendor.
2021-03-01 | Coordinated release of security advisory.


Solution:
---------
The vendor provides a patched version for the affected and supported products
which should be installed immediately.

The patch can be downloaded in genugate GUI or by calling 'getpatches'
on the command line interface.

Additional information can be viewed at the vendor's support page:
https://kunde.genua.de/en/overview/genugate.html


Workaround:
-----------
None


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF A. Stock / @2021

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close