- Subject: Unsafe Java deserialization of untrusted data, leading to Remote Code Execution (authenticated)
- CVE ID#: CVE-2021-36981
- Versions: All versions of verinice / verinice.PRO before 1.22.2
- Summary: A vulnerability in the communication between the client and server components can be used by an authenticated user to execute arbitrary code on the server.
Description
verinice uses Java serialization as a communication channel between client and server components. Frank Nusko of Secianus GmbH has found that the mechanism and framework being used is susceptible to exploits that can be used to cause execution of arbitrary code on the server component. The verinice.TEAM has confirmed the vulnerability.
Since this server component is also used in the standalone mode of verinice, it could theoretically be used for local attacks of the verinice client-only product by a malicious user. A malicious user on the same machine could execute arbitrary commands on the local host but with the permissions and context of the user running the verinice client. This second attack variant was not verified by us but as a cautionary measure we recommend all standalone-client users to install the available patch as well.
The vulnerability can be exploited to gain access to the underlying operating system, modify files, delete files and extract information, including all data in the verinice database.
Patch Availability
An updated version of packages has been released to fix the issue. All users should install version 1.22.2 or later from the official repositories and/or the online shop:
Users of the verinice.PRO server should install the available RPM packages using their established update procedure.
Users of the verinice standalone client version will be offered to install the updated version during startup. If the automated update mechanism has been disabled by the user, the update can be manually triggered by accessing the following menu item:
Help -> Check for Updates
Workaround and mitigating factors
A user with valid verinice application credentials (i.e. name and password) and network access to the HTTP(S) port (usually one of: 80/443/8080/8443) is required to execute the attack. The user does not need administrative privileges or any particular rights within verinice for the attack to work.
Timeline
- 2021-07-14 – Frank Nusko of Secianus GmbH notified SerNet about the bug
- 2021-08-02 – SerNet has patch ready on source branch for testing
- 2021-08-12 – Secanius verified the patch
- 2021-08-30 – verinice 1.22.2 released, customers notified
Advisory written by the verinice.TEAM of SerNet GmbH.
The verinice.TEAM provided the fix.
Description
verinice uses Java serialization as a communication channel between client and server components. Frank Nusko of Secianus GmbH has found that the mechanism and framework being used is susceptible to exploits that can be used to cause execution of arbitrary code on the server component. The verinice.TEAM has confirmed the vulnerability.
Since this server component is also used in the standalone mode of verinice, it could theoretically be used for local attacks of the verinice client-only product by a malicious user. A malicious user on the same machine could execute arbitrary commands on the local host but with the permissions and context of the user running the verinice client. This second attack variant was not verified by us but as a cautionary measure we recommend all standalone-client users to install the available patch as well.
The vulnerability can be exploited to gain access to the underlying operating system, modify files, delete files and extract information, including all data in the verinice database.
Patch Availability
An updated version of packages has been released to fix the issue. All users should install version 1.22.2 or later from the official repositories and/or the online shop:
Users of the verinice.PRO server should install the available RPM packages using their established update procedure.
Users of the verinice standalone client version will be offered to install the updated version during startup. If the automated update mechanism has been disabled by the user, the update can be manually triggered by accessing the following menu item:
Help -> Check for UpdatesWorkaround and mitigating factors
A user with valid verinice application credentials (i.e. name and password) and network access to the HTTP(S) port (usually one of: 80/443/8080/8443) is required to execute the attack. The user does not need administrative privileges or any particular rights within verinice for the attack to work.
Timeline
Advisory written by the verinice.TEAM of SerNet GmbH.
The verinice.TEAM provided the fix.