Security Advisory

Report on vulnerability CVE-2021-36981 "Insecure Java deserialization of untrusted data".

  • Subject: Unsafe Java deserialization of untrusted data, leading to Remote Code Execution (authenticated)
  • CVE ID#: CVE-2021-36981
  • Versions: All versions of verinice/verinice.PRO before 1.22.2
  • Summary: A vulnerability in the communication between the client and server components can be used by an authenticated user to execute arbitrary code on the server.

1. Description

verinice uses Java serialization as a communication channel between client and server components. Frank Nusko of Secianus GmbH has found that the mechanism and framework being used is susceptible to exploits that can be used to cause execution of arbitrary code on the server component. The verinice.TEAM has confirmed the vulnerability.

Since this server component is also used in the standalone mode of verinice, it could theoretically be used for local attacks of the verinice client-only product by a malicious user. A malicious user on the same machine could execute arbitrary commands on the local host but with the permissions and context of the user running the verinice client. This second attack variant was not verified by us but as a cautionary measure we recommend all standalone-client users to install the available patch as well.

The vulnerability can be exploited to gain access to the underlying operating system, modify files, delete files and extract information, including all data in the verinice database.

2. Patch Availability

An updated version of packages has been released to fix the issue. All users should install version 1.22.2 or later from the official repositories and/or the online shop:

Users of the verinice.PRO server should install the available RPM packages using their established update procedure.

Users of the verinice standalone client version will be offered to install the updated version during startup. If the automated update mechanism has been disabled by the user, the update can be manually triggered by accessing the following menu item:

Help -> Check for Updates

3. CVSSv3 calculation

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8)

4. Workaround and mitigating factors

A user with valid verinice application credentials (i.e. name and password) and network access to the HTTP(S) port (usually one of: 80/443/8080/8443) is required to execute the attack. The user does not need administrative privileges or any particular rights within verinice for the attack to work.

5. Timeline

  • 2021-07-14 – Frank Nusko of Secianus GmbH notified SerNet about the bug
  • 2021-08-02 – SerNet has patch ready on source branch for testing
  • 2021-08-12 – Secianus verified the patch
  • 2021-08-30 – verinice 1.22.2 released, customers notified

Reported by Frank Nusko, Secianus GmbH.

Advisory written by the verinice.TEAM of SerNet GmbH.

The verinice.TEAM provided the fix.

Questions or problems with your update?

Please feel free to contact us – we're here to help you!

Send Mail

Deutsch English Lingua italiana Český jazyk
Contact us
Contact

We are here for you!

Our sales team will be happy to help you with any questions you may have about SerNet's verinice products and services - personally and tailored to your individual interests.

You can reach us directly by phone at +49 551 370000-0.
Send us an email at vertrieb@remove-this.sernet.de.

verinice sales team
Sales team: Christian Börker, Alina Schnur, Nadine Dreymann, Andrea Schell, Willem Rothe
captcha
* mandatory fields

licensed by

Bundesamt für Sicherheit in der Informationstechnik
IT-Grundschutz

SerNet

SerNet GmbH

Bahnhofsallee 1b
37081 Göttingen
www.sernet.de

© SerNet GmbH, 2024