Firewall Vendor Patches Critical Auth Bypass Flaw

Introduction:

Cybersecurity firm Genua fixes a critical flaw in its GenuGate High Resistance Firewall, allowing attackers to log in as root users.

Germany-based cybersecurity company Genua has fast-tracked fixed for a critical flaw in one of its firewall products. If exploited, the vulnerability could allow local attackers to bypass authentication measures and log in to internal company networks with the highest level of privileges.

Genua says it offers more than 20 security solutions for encrypting data communication via the internet, remotely maintaining systems, securely accessing remote data and more – used by everyone from critical infrastructure companies to German federal agencies. Affected by the critical flaws is the GenuGate High Resistance Firewall, which Genua touts as a two-tier firewall that includes an application-level gateway and a packet filter for blocking malicious data.

“An unauthenticated attacker is able to successfully login as arbitrary user in the admin web interface, the side channel interface and user web interface, even as root with highest privileges, by manipulating certain HTTP POST parameters during login,” according to security and application consultation company SEC Consult on Monday (1/03/2021).

About GenuaGenuGate High Resistance Firewall

Genua says that the GenuGate High Resistance Firewall blocks internal networks against unauthorized access, and structures an intranet to establish various domains with different protection measures.

According to Genua, GenuGate is classified as “NATO Restricted.” NATO is a security classification for restricted information from the North Atlantic Treaty Organization. Certain products should contain safeguards and protection from public release and disclosure. According to Genua:

“The High Resistance Firewall genugate satisfies the highest requirements: two different firewall systems – an application level gateway and  a packet filter, each on separate hardware – are combined to form a compact solution. Genugate is approved for classification levels such as German and NATO RESTRICTED and RESTREINT UE/EU RESTRICTED. Genugate is certified according to CC EAL 4+”

The vulnerable versions of the firewall include GenuGate versions below 10.1 p4; below 9.6 p7 and versions 9.0 and below Z p19. The flaw has been fixed in GenuGate versions 10.1 p4 (G1010_004); 9.6 p7 (G960_007); 9.0 and 9.0 Z p19 (G900_019).

“The vendor provides a patched version for the affected products which should be installed immediately,” according to SEC Consult. “Customers should also adhere to security best practices such as network segmentation and limiting access to the admin panel. This is also a requirement for certified and approved environments.”

Critical GenuGate Firewall Cybersecurity Flaw

The critical authentication bypass vulnerability(CVE-2021-27215) stems from the GenuGate’s various admin authentication methods. The admin web interface, sidechannel web and userweb interface, use different methods to authenticate users.

But during the login process, certain HTTP POST parameters are passed to the server, which does not check the provided data, and allows for any authentication request.

By manipulating a specific parameter method, an attacker is able to bypass the authentication easily and login as an arbitrary user. That could include logging in as a root user with the highest privileges (or even a non-existing user), said SEC Consult researchers.

Researchers with SEC Consult published a high-level proof-of-concept (PoC) exploit, including a video (see below). However, researchers abstained from publishing specific PoC details due to the critical nature of the bug.

There is one caveat. In order to exploit the vulnerability, an attacker would first need to have network access to the admin interface.

“Certified and approved environments mandate that the admin interface is only reachable through a strictly separated network,” according to SEC Consult. “Nevertheless, it is a highly critical security vulnerability and must be patched immediately.”

Affected CVE:

Vulnerable Version

GenuGate<10.1 p4, <9.6 p7, <9.0/9.0 Z p19

Vulnerable Version

GenuGate<10.1 p4, <9.6 p7, <9.0/9.0 Z p19

CVE-2021-27215

Title

Authentication bypass vulnerability

Impact

critical

Fixed Version

GenuGate 10.1 p4 (G1010_004), 9.6 p7 (G960_007), 9.0 and 9.0 Z p19 (G900_019)

“The Admin Web interface, the Sidechannel Web and Userweb interface can use different methods to perform the authentication of a user. A specific authentication method during login does not check the provided data and returns OK for any authentication request. This allows an attacker to login to the admin panel with a user of his choice, e.g the root user with highest privileges or even a non-existing user.”

Vulnerable / tested versions

The versions 9.6 p0 and 9.6 p6 of the GenuaGenuGate firewall were tested and found to be vulnerable. The p6 version was the latest version at the time of discovery.

The supported and released product versions 9.0, 9.0 Z and 10.1 are affected as well.

Vendor contact timeline

2021-01-29 Contacting vendor through [email protected]
  Asking for an S/MIME certificate or GnuGP key to be able to send an encrypted report
2021-01-29 Received GnuGP key from vendor and sent encrypted (PGP) report.
2021-01-29 Vendor confirmed the issue and is working on a patch.
2021-02-02 Vendor released a patch for the affected products.
2021-02-15 Informing CERT-Bund and CERT.at about the upcoming advisory release.
2021-02-17 Coordination call with vendor.
2021-03-01 Coordinated release of security advisory.

 Remediation

  • The vendor provides a patched version for the affected and supported products which should be installed immediately.
  • The patch can be downloaded in genugate GUI or by calling ‘getpatches’ on the command line interface.