Security Advisories

FSC-2019-4: Authentication Bypass in F-Secure Server Security and F-Secure Email and Server Security

Description

Authentication bypass in F-Secure Server Security and F-Secure Email and Server Security.

STATUS: RESOLVED.

ACTION REQUIRED: No user action is required, unless automatic updates have been disabled.

RISK LEVEL: HIGH.

Affected Products

Corporate Products:

  • F-Secure Protection Service for Business Email and Server Security 12.x
  • F-Secure Protection Service for Business Server Security 12.x
  • F-Secure Email and Server Security Standard and Premium 12.x
  • F-Secure Server Security Standard and Premium 12.x

 

Please note: Our latest products are not affected by this vulnerability. 

  • F-Secure Server Security Standard and Premium 14.x
  • F-Secure Server Protection 19.x
  • F-Secure Server Protection Premium 19.x
  • F-Secure Server Protection Premium & Rapid Detection and Response 19.x

Platforms

  • Windows 
  • All supported platforms for the affected products

More Information

A vulnerability was discovered in the web user interface of the F-Secure Security and F-Secure Email and Server Security product. The authentication on the web user interface can be bypassed which will grant administrator privileges of the product.

This issue and a Proof-of-Concept exploit was reported privately to F-Secure as part of our Vulnerability Reward Program. No known attacks have been reported or observed in the wild.

Mitigating Factors

By default, the web user interface only accepts connections from localhost (127.0.0.1). The value of this configuration can be viewed from the web user interface: Settings > Administrator > Web Console > Allowed hosts. 

Fix Available

Product Versions Fix
F-Secure Protection Service for Business Email and Server Security 12.x A fix has been released through the automatic update channel since 3rd Sept 2019. No user action is required if automatic update is enabled.
F-Secure Protection Service for Business Server Security 12.x A fix has been released through the automatic update channel since 3rd Sept 2019. No user action is required if automatic update is enabled.
F-Secure Email and Server Security Standard and Premium 12.x A fix has been released through the automatic update channel since 3rd Sept 2019. No user action is required if automatic update is enabled.
F-Secure Server Security Standard and Premium 12.x A fix has been released through the automatic update channel since 3rd Sept 2019. No user action is required if automatic update is enabled.

Credits

F-Secure Corporation would like to thank Kevin Joensen for bringing this issue to our attention.

Date Issued: 2019-09-05