Firewall Vendor Patches Critical Auth Bypass Flaw

Genua firewall security vulnerability

Cybersecurity firm Genua fixes a critical flaw in its GenuGate High Resistance Firewall, allowing attackers to log in as root users.

Germany-based cybersecurity company Genua has fast-tracked a fix for a critical flaw in one of its firewall products. If exploited, the vulnerability could allow local attackers to bypass authentication measures and log in to internal company networks with the highest level of privileges.

Genua says it offers more than 20 security solutions for encrypting data communication via the internet, remotely maintaining systems, securely accessing remote data and more – used by anything from critical infrastructure companies to German federal agencies. Affected by the critical flaws is the GenuGate High Resistance Firewall, which Genua touts as a two-tier firewall that includes an application-level gateway and a packet filter for blocking malicious data.

“An unauthenticated attacker is able to successfully login as arbitrary user in the admin web interface, the side channel interface and user web interface, even as root with highest privileges, by manipulating certain HTTP POST parameters during login,” according to security and application consultation company SEC Consult on Monday.

Genua GenuGate High Resistance Firewall

Genua says that the GenuGate High Resistance Firewall blocks internal networks against unauthorized access, and structures an intranet to establish various domains with different protection measures.

According to Genua, GenuGate is classified as “NATO Restricted.” NATO is a security classification for restricted information from the North Atlantic Treaty Organization. It requires that certain products contain safeguards and protection from public release and disclosure. According to Genua:

“The High Resistance Firewall genugate satisfies the highest requirements: two different firewall systems – an application level gateway and  a packet filter, each on separate hardware – are combined to form a compact solution. genugate is approved for classification levels German and NATO RESTRICTED and RESTREINT UE/EU RESTRICTED. genugate is certified according to CC EAL 4+”

The vulnerable versions of the firewall include GenuGate versions below 10.1 p4; below 9.6 p7 and versions 9.0 and below Z p19. The flaw has been fixed in GenuGate versions 10.1 p4 (G1010_004); 9.6 p7 (G960_007); 9.0 and 9.0 Z p19 (G900_019).

“The vendor provides a patched version for the affected products which should be installed immediately,” according to SEC Consult. “Customers should also adhere to security best practices such as network segmentation and limiting access to the admin panel. This is also a requirement for certified and approved environments.”

Critical GenuGate Firewall Cybersecurity Flaw

The critical authentication bypass vulnerability (CVE-2021-27215) stems from the GenuGate’s various admin authentication methods. The admin web interface, sidechannel web and userweb interface, use different methods to authenticate users.

But during the login process, certain HTTP POST parameters are passed to the server, which does not check the provided data, and allows for any authentication request.

By manipulating a specific parameter method, an attacker is able would be able bypass the authentication easily and login as arbitrary user. That could include logging in as a root user with the highest privileges (or even a non-existing user), said SEC Consult researchers.

Researchers with SEC Consult published a high-level proof-of-concept (PoC) exploit, including a video (see below). However, researchers abstained from publishing specific PoC details due to the critical nature of the bug.

There is one caveat. In order to exploit the vulnerability, an attacker would first need to have network access to the admin interface.

“Certified and approved environments mandate that the admin interface is only reachable through a strictly separated network,” according to SEC Consult. “Nevertheless, it is a highly critical security vulnerability and must be patched immediately.”

Cybersecurity Firewall Vulnerabilities and Remediation

Researchers contacted Genua on Jan. 29 regarding the vulnerability. That same day, Genua confirmed the issue and began working on a patch – and released a patch for the affected product on Feb. 2. The public disclosure of the vulnerability (in coordination with CERT-Bund and CERT) was published, Monday. SEC Consult said, the patch can be downloaded in GenuGate GUI or by calling “getpatches” on the command line interface.

Firewall vulnerabilities provide a dangerous route for attackers to infiltrate sensitive company networks.

In January, security experts warned hackers are ramping up attempts to exploit a high-severity vulnerability that may still reside in over 100,000 Zyxel Communications products, which are generally utilized by small businesses as firewalls and VPN gateways. In April, attackers started targeting the Sophos XG Firewall (both physical and virtual versions) using a zero-day exploit, with the ultimate goal of dropping the Asnarok malware on vulnerable appliances.

Genua has not responded to a request for comment.

Suggested articles