FSC-2019-4: Authentication Bypass in F-Secure Server Security and F-Secure Email and Server Security

Authentication bypass in F-Secure Server Security and F-Secure Email and Server Security.

STATUS: RESOLVED.

ACTION REQUIRED: No user action is required, unless automatic updates have been disabled.

RISK LEVEL: HIGH.

Corporate Products:

• F-Secure Protection Service for Business Email and Server Security 12.x
• F-Secure Protection Service for Business Server Security 12.x
• F-Secure Email and Server Security Standard and Premium 12.x
• F-Secure Server Security Standard and Premium 12.x

Please note: Our latest products are not affected by this vulnerability. 

• F-Secure Server Security Standard and Premium 14.x
• F-Secure Server Protection 19.x
• F-Secure Server Protection Premium 19.x
• F-Secure Server Protection Premium & Rapid Detection and Response 19.x

• Windows 
• All supported platforms for the affected products

A vulnerability was discovered in the web user interface of the F-Secure Security and F-Secure Email and Server Security product. The authentication on the web user interface can be bypassed which will grant administrator privileges of the product.

This issue and a Proof-of-Concept exploit was reported privately to F-Secure as part of our Vulnerability Reward Program. No known attacks have been reported or observed in the wild.

By default, the web user interface only accepts connections from localhost (127.0.0.1). The value of this configuration can be viewed from the web user interface: Settings > Administrator > Web Console > Allowed hosts. 

F-Secure Corporation would like to thank Kevin Joensen for bringing this issue to our attention.

Date Issued: 2019-09-05