Security Advisories

CVE-2021-33601: Arbitrary Code Execution in Web Interface of F-Secure Internet Gatekeeper

Description

Vulnerability in web user interface of the F-Secure Internet Gatekeeper 5 series product can lead to arbitrary code execution.

STATUS: Fixed

RISK LEVEL: Medium

FIX: Hotfix 9 has been published to fix this vulnerability. Download and instructions available at: https://download.f-secure.com/corpro/igk/igk5.50/fsigk-5-hf9.tar.gz

Affected Products

Corporate Products:

  • F-Secure Internet Gatekeeper 5 Series

Platforms

  • All supported platforms for the affected products

More Information

A vulnerability was discovered in the web user interface of F-Secure Internet Gatekeeper. An authenticated user can modify settings through the web user interface in a way that could lead to an arbitrary code execution on the F-Secure Internet Gatekeeper server.

This issue and a proof-of-concept exploit was reported privately to F-Secure as part of our Vulnerability Reward Program. No known attacks have been reported or observed in the wild.  

Credits

F-Secure Corporation would like to thank Selim Enes Karaduman (@enesdex) for bringing this issue to our attention.

Advisory changes

Date Changes
2021-09-28 First advisory published.
2021-09-29 Risk level changed from 'High' to 'Medium'.

Date Issued: 2021-09-28
Date Updated: 2021-09-29