SEPTEMBER 2023 I

Vulnerability on Bastion dashboard

A vulnerability has been discovered in the WALLIX Bastion that may allow an unauthenticated attacker to access sensitive information. The vulnerability requires a network access administration web interface. It lets bypass security access controls.

WALLIX recommends immediately applying one of the workarounds described below.

Affected Products:

All major and minor versions of WALLIX Bastion including and after 9.0.0

Workarounds:
  • Run the following script as root on the WALLIX bastion:
    • Log to the bastion using SSH on the wabadmin account,
    • Download the scipt https://cloud.wallix.com/index.php/s/wdqXRSfBk5ZZxEQ ((sha256 checksum: 59781a247251318f710a9aaf6df5083ee63a0478ea9ef55f3c24f70045ba630c),
    • Type “super” command to become wabsuper user,
    • Type “sudo -i” to become root,
    • Make the script executable,
    • Launch the script.

The script will update systems configurations and renew the key used to sign the user cookies in analytics component.

The script can be executed on all versions of the Bastion. Additionally, the script lets you know if the vulnerability has been exploited.

  • If dashboards and discovery features are not needed, deactivate the “Enable modules” option. This option is accessible from the Bastion web administration interface: “Configuration” > “Configuration options” > “Module configuration”, section “main”. This option is displayed when the checkbox of the “Advanced options” field at the top right of the page has been selected

NB :

  • Only one solution is enough according to your Bastion usage. There is no need to do both.
  • What ever the workaround you chose, (script, or disable module), it has to be done on all Bastions in case of replication.
  • Running the script WILL NOT impact the current sessions.
  • A restart IS NOT required.
Fixed Software:

New releases including the fix are currently prepared and will be released soon:

  • 9.0.9: 1st week of September 2023
  • 10.0.5: 1st week of October 2023

 

FEBRUARY 2023 I

Access Manager privilege escalation CVE-2023-23592

SUMMARY

A vulnerability has been discovered in the WALLIX Access Manager product that may allow an attacker to access sensitive information. The attacker could use this vulnerability to gain illegitimate accesses.

WALLIX recommends to immediately apply the published fixes, or before it is applied, the workaround described below.

Affected Products

All versions of WALLIX Access Manager.

Workarounds

The following article of our knowledge base provides you with the workaround procedure.

https://support.wallix.com/s/article/How-can-I-mitigate-CVE-2023-23592

Fixed Software

Hotfixes versions are available on our download portal:

Exploitation and Public Announcements

WALLIX is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. However, it is recommended to look for any abnormal activity on the WALLIX Bastions that are connected to WALLIX Access Manager. In particular it is recommended to look for unusual IP used by privileged users that may be used by multiple user accounts.

Source

Internal security checks


 

DECEMBER 2021 |

Log4J remote code execution vulnerability (CVE-2021-44228)

SUMMARY

Alibaba Cloud Security Team published a vulnerability in log4j, a common Java logging library on the 9th of December 2021. (CVE-2021-44228) This vulnerability allows for unauthenticated remote code execution on Java applications.

Affected Products

All versions of WALLIX Access Manager

Workarounds

The default configuration of WALLIX Access Manager prevents from exploiting the said vulnerability on the login field.

However, in order to prevent any possibility to find an exploit in the event of a modification of the default configuration of the WALLIX Access Manager, the WALLIX team proposes a patch which deactivates the faulty class of the log4j library.

This patch applies to all releases of Access Manager from 2.0 version on.

The following article of our knowledge base provides you with the access to the patch as well as the procedure to install it.

https://support.wallix.com/s/article/CVE-2021-44228-Mitigation-procedure

Fixed Software

An update of the Log4J version is planned alongside the Access Manager version 3.0.11.

This version is planned to be released by the end of December 2021.

Exploitation and Public Announcements

WALLIX is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. However, it is recommended to look for any abnormal activity on the WALLIX Bastions that are connected to WALLIX Access Manager. In particular it is recommended to look for creation of new users or authorizations especially since the publication of the CVE

Source

Alibaba Cloud Security Team published a vulnerability in log4j, a common Java logging library on the 9th of December 2021. (CVE-2021-44228)


 

JANUARY 2021 |
Sudo Privilege Escalation affecting WALLIX Products – CVE-2021-3156
SUMMARY

The Qualys Research Team has discovered a heap overflow vulnerability in sudo (CVE-2021-3156), any local unprivileged user can gain root privileges on a vulnerable host using a default sudo configuration by exploiting this vulnerability.

sudo can only be exploited locally. This means that either :

  • The user is connected on the WALLIX Bastion, through the wabadmin account, on the administration interface. This user can then exploit sudo to become root and bypass all securities of WALLIX Bastion
  • A Remote Code Exploitation (RCE) vulnerability exists in another piece of WALLIX software or third party, that will provides a local shell. After successfully exploiting this vulnerability, the attacker will be able to exploit sudo to become root. To WALLIX knowledge, an up-to-date Bastion does not have such vulnerability

 

Affected Products
  • All versions prior to WALLIX Bastion 8.0.6 (included)
  • All versions 8.1 and 8.2
Workarounds

There is no workaround to this vulnerability

 

Fixed Software

This vulnerability is fixed from the WALLIX Bastion 8.0.7 on, and 7.0.14  on.

  • A Fix Patch is available for version 8.0.6 and before (it applies for 8.1 and 8.2 versions)
  • A Fix patch is available for version 7.0.13 and before

 

These elements are available on our download site : WALLIX Support: Patches

 

Exploitation and Public Announcements

WALLIX is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

On January 26, 2021, Qualys publicly disclosed this vulnerability in a security bulletin at the following link: https://blog.qualys.com


 

OCTOBER 2018 |
libssh Authentication Bypass Vulnerability Affecting WALLIX Products
SUMMARY

• A vulnerability in libssh could allow an unauthenticated, remote attacker to bypass authentication on a targeted system.

The vulnerability is due to improper authentication operations by the server-side state machine of the affected software. An attacker could exploit this vulnerability by presenting a SSH2_MSG_USERAUTH_SUCCESS message to a targeted system. A successful exploit could allow the attacker to bypass

Affected Products

Affected Products are all versions of WALLIX Bastion

Workarounds

As this impacts only configuration with SSH public key authentication on primary accounts, a workaround is to remove the public keys and use another authentication method (Password, X509, etc…)

Fixed Software

This vulnerability is fixed in the latest supported versions of our software that are available on our download site.

Exploitation and Public Announcements

• WALLIX is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

• On October 16, 2018, libssh.org publicly disclosed this vulnerability in a security bulletin at the following link: https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/