Security Advisories
FSC-2019-4: Authentication Bypass in F-Secure Server Security and F-Secure Email and Server Security
Description
Authentication bypass in F-Secure Server Security and F-Secure Email and Server Security.
STATUS: RESOLVED.
ACTION REQUIRED: No user action is required, unless automatic updates have been disabled.
RISK LEVEL: HIGH.
Affected Products
Corporate Products:
- F-Secure Protection Service for Business Email and Server Security 12.x
- F-Secure Protection Service for Business Server Security 12.x
- F-Secure Email and Server Security Standard and Premium 12.x
- F-Secure Server Security Standard and Premium 12.x
Please note: Our latest products are not affected by this vulnerability.
- F-Secure Server Security Standard and Premium 14.x
- F-Secure Server Protection 19.x
- F-Secure Server Protection Premium 19.x
- F-Secure Server Protection Premium & Rapid Detection and Response 19.x
Platforms
- Windows
- All supported platforms for the affected products
More Information
A vulnerability was discovered in the web user interface of the F-Secure Security and F-Secure Email and Server Security product. The authentication on the web user interface can be bypassed which will grant administrator privileges of the product.
This issue and a Proof-of-Concept exploit was reported privately to F-Secure as part of our Vulnerability Reward Program. No known attacks have been reported or observed in the wild.
Mitigating Factors
By default, the web user interface only accepts connections from localhost (127.0.0.1). The value of this configuration can be viewed from the web user interface: Settings > Administrator > Web Console > Allowed hosts.
Fix Available
| Product | Versions | Fix |
|---|---|---|
| F-Secure Protection Service for Business Email and Server Security | 12.x | A fix has been released through the automatic update channel since 3rd Sept 2019. No user action is required if automatic update is enabled. |
| F-Secure Protection Service for Business Server Security | 12.x | A fix has been released through the automatic update channel since 3rd Sept 2019. No user action is required if automatic update is enabled. |
| F-Secure Email and Server Security Standard and Premium | 12.x | A fix has been released through the automatic update channel since 3rd Sept 2019. No user action is required if automatic update is enabled. |
| F-Secure Server Security Standard and Premium | 12.x | A fix has been released through the automatic update channel since 3rd Sept 2019. No user action is required if automatic update is enabled. |
Credits
F-Secure Corporation would like to thank Kevin Joensen for bringing this issue to our attention.
Date Issued: 2019-09-05