Authentication bypass in F-Secure Server Security and F-Secure Email and Server Security.
STATUS: RESOLVED.
ACTION REQUIRED: No user action is required, unless automatic updates have been disabled.
RISK LEVEL: HIGH.
Corporate Products:
Please note: Our latest products are not affected by this vulnerability.
A vulnerability was discovered in the web user interface of the F-Secure Security and F-Secure Email and Server Security product. The authentication on the web user interface can be bypassed which will grant administrator privileges of the product.
This issue and a Proof-of-Concept exploit was reported privately to F-Secure as part of our Vulnerability Reward Program. No known attacks have been reported or observed in the wild.
By default, the web user interface only accepts connections from localhost (127.0.0.1). The value of this configuration can be viewed from the web user interface: Settings > Administrator > Web Console > Allowed hosts.
Product | Versions | Fix |
---|---|---|
F-Secure Protection Service for Business Email and Server Security | 12.x | A fix has been released through the automatic update channel since 3rd Sept 2019. No user action is required if automatic update is enabled. |
F-Secure Protection Service for Business Server Security | 12.x | A fix has been released through the automatic update channel since 3rd Sept 2019. No user action is required if automatic update is enabled. |
F-Secure Email and Server Security Standard and Premium | 12.x | A fix has been released through the automatic update channel since 3rd Sept 2019. No user action is required if automatic update is enabled. |
F-Secure Server Security Standard and Premium | 12.x | A fix has been released through the automatic update channel since 3rd Sept 2019. No user action is required if automatic update is enabled. |
F-Secure Corporation would like to thank Kevin Joensen for bringing this issue to our attention.
Date Issued: 2019-09-05